Malware Analysis Report

2025-01-22 19:58

Sample ID 241016-xpdbtazgpk
Target 273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N
SHA256 273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3

Threat Level: Likely malicious

The file 273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (2938) files with added filename extension

Renames multiple (4498) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 19:01

Reported

2024-10-16 19:03

Platform

win7-20240708-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe"

Signatures

Renames multiple (2938) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\EST.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-remote.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\offset.ax.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Windhoek.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\en-US\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IO.Log.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Internet Explorer\pdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.IdentityModel.Selectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\background.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Mozilla Firefox\nssckbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_MATTE2_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.contexts_1.3.100.v20140407-1019.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bogota.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\Chess.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Managua.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe

"C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe"

Network

N/A

Files

memory/2644-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 6fea2b417aa179f6a69c2a2b61efc27b
SHA1 078c8714ff577669d5d9aa5f14ebbf7fb8adb168
SHA256 4a7123f87240d8526b327757383b9723097e60b5655db6a89c52e50ec74ea22b
SHA512 42659e024ae6e8ae86a80982bbffe8ba9f6cf639f9f2236b6d508b1a276a352ed4b1c8473279e7cb2a7a31047bd5008bb1e0e7699532cb35c7b04c3024bb9dee

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 7f0771ebce01e3c6f8c71242b9a6f451
SHA1 d59b280b109ac8eeafb9b08fc0ac486b4fe4b88f
SHA256 db5b0774ec662f503f5b58d3165f44f8b880c90f7cb3754f4d12cd805c046ce3
SHA512 7ae081bf20e648c5d8f46c2839342d13efa67904dd614502ae041d08a161fa4dbf6584b31e9b40de2429bfbcb995d507fbd7b91ea6f39972006cffadf21c0f82

memory/2644-70-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 19:01

Reported

2024-10-16 19:03

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe"

Signatures

Renames multiple (4498) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_elf.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\management.properties.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe

"C:\Users\Admin\AppData\Local\Temp\273125c51eafb13b37ccba6beef688f94dd72c3b91b2e74e2409d52273fc22e3N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2960-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 222b846dc5777bfe09ef727b04a96870
SHA1 c817bb92674ae0033478ae3fcd1c7a2d4a0116a4
SHA256 84f9f793ea2144581905f576643003e0f58ff9b97c536712f61f5ac72259abd8
SHA512 23c7fe277f42ca896497d8fb430473420409600084b24a3d10a6911b7e4330fb30d8506cd96f682ee28dd91c6ca5bf858e8dcf534056a67a01417ebe6b02d87c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a0dec521e029a91d5ab66835e5404eae
SHA1 ae07a81107ec7c3e5841034b9b93eef5f3396880
SHA256 fe30ceed956657a75abb15f045480529205aa8707e48e63772c716d0e7c64bbd
SHA512 021383df6179818e8bd0437ddd72b0c5108d9ecddd6a8c9a956d866365f4c274055ce0161c0a7ca413c44e576381d014ceae7a809255d8f9494ca5c62a1bfc28

memory/2960-666-0x0000000000400000-0x0000000000408000-memory.dmp