Malware Analysis Report

2025-01-22 20:14

Sample ID 241016-zjfabsvhkm
Target 5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296
SHA256 5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296

Threat Level: Likely malicious

The file 5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3789) files with added filename extension

Renames multiple (5198) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:44

Reported

2024-10-16 20:47

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe"

Signatures

Renames multiple (3789) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckg.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationBuildTasks.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libbluescreen_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libimem_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\Sidebar.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\he.pak.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+12.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libchain_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Journal\it-IT\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEXBE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\SpiderSolitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Reunion.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Cordoba.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\bin\klist.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe

"C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp

MD5 2f98d2061cbc2ab7f77dcf47a2a1e138
SHA1 3231006ded5766efe0f28087de60b675c7ca4b44
SHA256 f6c283197a056432b3cf280aeb909e23cbf56bad22d0faaf29d52d09e37bedfb
SHA512 2b72b39a32db57c23407b1890a4cb01c9c1f5073082bf83741ce02b018189f2f5f10edd80c6170275bb38eaa539fd9fcacafcba1da25c80198c5147b1ea558eb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a9f9820d78f3210348125ea3b9359e76
SHA1 7144f54ad3744102f7afda08e44826e8ca998965
SHA256 92b4807f1f73bcee9dccc84df81e8a2a9a9471974a8b1282f7e1ac37abe699f0
SHA512 91b7f74d511559ee48446f522bb3bf3afe9263cef8e97b37940fb2e1002e16cd231cf6076f3b746431b71680502f8c906984c9ab9f1500078fb6672398810890

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:44

Reported

2024-10-16 20:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe"

Signatures

Renames multiple (5198) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es.pak.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\npjp2.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointTeamSite.ico.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Initialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\react-native-win32.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javac.exe.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnms006.inf.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe

"C:\Users\Admin\AppData\Local\Temp\5156883e72e3bb3521792f66ff7e9c010c920b95b066696c3089b8984f4fc296.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 1b7fda9800ff88bc92cc67ce6ccf1926
SHA1 097d90dda733aeb6aa02a9fd9e0aa5f9fbf81dca
SHA256 0b292994bc792616fbdfe2f8db03f97fc1713e43716d36f8ff91008957d010c1
SHA512 b3371d186df67dd274fcbb31c7187a75c5036bbaab8be2b81c0b29721baae40c3cdad0c3701fe64adf170ee3d2676db8bdb62658186e807eab89ed481b5c6763

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 87c07048a26d176c0d040528dac562e4
SHA1 3dd00ceaa6ab46fae007968dc2d7b01f86e7997d
SHA256 7c8da7656030776bf20d542807c7df572feca9d6b8f498ae2613219d2304639b
SHA512 138607c78e7bf71885902fe8864ae39e53d2633121bc99704bdd2d0100c4119ddae537ebccb7e36ad44b4ee34cbbb2f7c0f65ef520e4bb479ffa368ed5a3e2b0