Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-z1hf1sshnd
Target 5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9
SHA256 5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9

Threat Level: Likely malicious

The file 5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4852) files with added filename extension

Renames multiple (1028) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:10

Reported

2024-10-16 21:13

Platform

win7-20241010-en

Max time kernel

149s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe"

Signatures

Renames multiple (1028) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_rgb.wmv.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Menominee.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pontianak.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DisableUnpublish.xps.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\InstallClose.cab.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\decora-sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vevay.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Mahe.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\ClearFind.mpeg2.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-2.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\msadc\handsafe.reg.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\ExportInvoke.rm.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe

"C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 65ad02911097c67dcc62eaf63c0b3823
SHA1 e82efe78e2dccd1455eb3095d288ef9c9da2e91e
SHA256 ed174479a8ac1c39f7b437776abb9d2ef5195f867f35b845db0b5a113afe47ed
SHA512 e0282c665e3bc29f5606b70039cd62cf7cf1672e734260ee7b5288e5054edffe42c3c6f75bcc955c6ae457dd5a4df2df96bf86fdd1ce9cc45e67f627117849f2

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 3a2d64366ade0d709b82751ac22fe07b
SHA1 aa4a94001ba332e8f7de8ef2fd92e2db44ca4aeb
SHA256 b1bad342f99ac5377a78332cd372521d6500930e528d465c6ac3991b2218f719
SHA512 aec3a9f55dc30015b7589170921bf9a7cac69900c60c5a3eb5e24f2055be223a659388a4e9bff85379c09c2a2402450170bc22d86b47950cc02c300213c23d2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:10

Reported

2024-10-16 21:13

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe"

Signatures

Renames multiple (4852) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\ado\msador28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\management.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\hijrah-config-umalqura.properties.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\npdeployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe

"C:\Users\Admin\AppData\Local\Temp\5c32c878d70b7cf190f7a4595ea0713eb05c1eb02b1d883912eb04a8499a4be9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 1202144caae350645b5af84d84a5bd6c
SHA1 37c6baf8169c1046da2a13c8de24d8a64a2a00e6
SHA256 3ce3ba415d638cda66e5f807130d6cc45578302c724025edbd668ab1210c2d4e
SHA512 69224b93875189cbac5b0afd7448824ae1176d3888fd9fb12bb3651a52ab968dc6f2c6e88e175c22185582fcc254ec1b417f41e172a3f3b9c3142139ae5cb81c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 0a0f67de7391abcbf7f3cfd938409800
SHA1 ff11cb5feb03100cc64e78303fb9ac2370de8d9a
SHA256 bbdfb2079f59ff8ed0a09c79d7f8674148d5ac6bd8c0c2c08b3d0ef207643f19
SHA512 bdfa311f415154063048d6749fa72434e968055c3757c9b34b0c9afa3201aa339b6f690df8695ca2d5e849f0c53de6b1b38d20065d0332a01f9518c7d22b8b3e