Malware Analysis Report

2025-01-22 19:55

Sample ID 241016-yws7aazela
Target 524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N
SHA256 524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631

Threat Level: Likely malicious

The file 524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3757) files with added filename extension

Renames multiple (5025) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:08

Reported

2024-10-16 20:11

Platform

win7-20240729-en

Max time kernel

150s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe"

Signatures

Renames multiple (3757) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Oslo.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\jvm.hprof.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\flyout.html.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\settings.css.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Araguaina.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Media Player\WMPDMC.exe.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdvdread_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libnoseek_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_right.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\41.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre7\lib\logging.properties.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.SYX.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe

"C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe"

Network

N/A

Files

memory/1464-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 b862a578d7239fc4714f3a302faa7bce
SHA1 16c13e15f11c548927ac5c9e90a17d87f28f5466
SHA256 d831fa5b41438910c5d3a636dc607c794606eb0406cd3e15b73fb9f485b0ce98
SHA512 801714c25ecb9f87150975243957d96283509e753c5894e0beb1a77e0cb6d5dd7a195dc0f2fd73b2004913814b28b52a362866e23dad7d2448f9bb4a89dbdbb9

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 212ddbe06ce2c8a675c2d1048a3eadff
SHA1 0a1b0078f1acbd522ec397e5d60f9018b9945670
SHA256 1f43c275c83fc7863cf33a6cc911a33d36d8cd8c61b3675eefdf427082679ee5
SHA512 b4cb06aecda5214df9591f08e18077bec82d0034add02094b01851ce921e26094a47f7f78d30aa0cfb74887eb3f554871994c9aace0431c7939b5a114747791b

memory/1464-70-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:08

Reported

2024-10-16 20:11

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe"

Signatures

Renames multiple (5025) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMICAUT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART2.BDR.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\sa-jdi.jar.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Java\jre-1.8\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe

"C:\Users\Admin\AppData\Local\Temp\524794ba3a2ccd6127093907221b22c9e5f1a3ed22f9af7ee935d0afb624c631N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3512-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 a95fbfde6c58f5f4790f05f91ee031d6
SHA1 dc436afe477a3769aee72b34fb2cda2f96a28c50
SHA256 eb9d5018707e1158414b5dd18d7a6537302e665d21ff7a8ba3f9e1944b30daf6
SHA512 79d65f8a419db8d8ccb38b8d03c7bff1587e5d776d97584daab0d0928c9f28e371bca27205fdb2734f323e6d90ca79c81155d136874af903db36995f2768b9f9

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4825f9c4b07a8a3f7a66fd0f410b766a
SHA1 8918d313362c5bb6c25c2290a302a61b06fbe3d0
SHA256 b7833bd40f93fef0704a9fc646da46ac438be05d581e3f13cd134b1f96e9631b
SHA512 2a1281d9c621c1b2fa95c3688a4c9bb8f6e2a43f5b1258daf6365e1fa6c572c839de75d4fe07b0799292e0bec523541c9905fdf02678b31c297f02720b0cf97e

memory/3512-668-0x0000000000400000-0x0000000000408000-memory.dmp