Malware Analysis Report

2025-01-22 19:56

Sample ID 241016-wm5slstcqe
Target 004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705
SHA256 004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705

Threat Level: Likely malicious

The file 004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5029) files with added filename extension

Renames multiple (4072) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:03

Reported

2024-10-16 18:05

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe"

Signatures

Renames multiple (4072) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Majuro.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circle_glass_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\es-ES\Minesweeper.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\fr-FR\sbdrop.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Brisbane.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\Hx.HxT.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Atikokan.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\setup_wm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\OARPMANR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\DVD Maker\es-ES\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe

"C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 6651668a60208f0f31dcde5ff9ea2be7
SHA1 f7fe0398dbdee3e1587823e48ec8745ad1799e75
SHA256 d6e6911af5f1de920e196bd0928db81e652d3f9453f3e923034f3b6f89f03ced
SHA512 fd5ac9544befec80c1f46b0458a86b3f658bdade8c3dae560639a35183db61020fb780c79ee117c71852aebb827dc828dead1c77f928bd82dd36b73f9b0d287f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 c5b02e8d20e6f2aef421e8790d272aa5
SHA1 1eddd5bbcd2ec59a3801d6afbc0a16dcc0b10d89
SHA256 8485d112087e223708e2ea47935bb042fa800f7a471feae6faf27b4b1c645c57
SHA512 2c297326329eb109706e5432790e8b7738fd87c6957bbeda837a96bdb772b790c933a58392f0bfb643f2a4dc494f53fb81e9ae4069b850762299e343d1dfd090

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:03

Reported

2024-10-16 18:05

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe"

Signatures

Renames multiple (5029) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\TURABIAN.XSL.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.Wizard.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe

"C:\Users\Admin\AppData\Local\Temp\004e18d2e9c342aa5cd13aa8f981c3cd37d57759fbd5b6a60f5913c3f52e3705.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 c350339a570c643ab3922da08f72dbbc
SHA1 11399b6ff6496c4336f7e06749d0fbf2baf27aa5
SHA256 6f2849cfbb6d0417f3b224dfdfe20112fe236c3d8d1c5675eb3d3db6f1a1562d
SHA512 d5268efb3c1d3247168f5a21e3b228a48fe0747b2968df3e5ca76d20ed5707e88d3f91169cd10e191a5e2baf6267839d16ba275cf94c780c73bfb57c90c08fda

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c49cad4080f5cbd1f715da1d5bda74ee
SHA1 fc57ea4d86586729b448762bc8ff3ef8fa287709
SHA256 56065e5c9b51554673e97b525535211951881967e04042fd3d40b649b2d8d2a9
SHA512 068e4e65b550292ba6e0abc7ef1f13971f7934e4ccef516969a5827b9965d274ce51ebc28f9400ffb7ab37ef8a95bb4b55e28b32604b7191f15359dda8326ba2