Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-zrw8tawcnr
Target 67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N
SHA256 67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90

Threat Level: Likely malicious

The file 67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4539) files with added filename extension

Renames multiple (3070) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 20:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 20:57

Reported

2024-10-16 20:59

Platform

win7-20240708-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe"

Signatures

Renames multiple (3070) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref.wmv.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ml.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\NOTICE.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Managua.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\id.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hovd.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baku.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\7-Zip\Lang\sk.txt.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\[email protected] C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\DVD Maker\Eurosti.TTF.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.security_8.1.14.v20131031.jar.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe

"C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe"

Network

N/A

Files

memory/2292-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp

MD5 83e0614428630c967e99b41c1161a448
SHA1 760ce2d76225453fa8db2d77b98230ff661c3bd4
SHA256 559e27cb52fa8817727a2d3fc733a716c267cd4279db6d914d537bc84837897c
SHA512 837d72a93941976900c28d5cfbdc8cfd3ce3c9b04b726d4d6a76eb6dbcec7d21fbc8f7f652a0fa3cea277cd9f46ced3a2e35361a275de07af90d7ef21ca06bb1

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 9e1f09dff7e3432fb7643c0f24eebc9e
SHA1 23d0e9376a46d5148907c0e1052afc2dcb0756c7
SHA256 a14b7f8d5ae48931b871b48b1c0b8aac9683ee05294a71d51b4102f859fb7347
SHA512 c81ae4fc95aeef958b2c87218c6971d627a3a0479aa9508a1084a8c00ffc07d854c435dd756635f5cf6ec3e942b88d4abe38dfb4bd4312aaf32ab8b7d043ddc5

memory/2292-70-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 20:57

Reported

2024-10-16 20:59

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe"

Signatures

Renames multiple (4539) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fil.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\FOLDER.ICO.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe

"C:\Users\Admin\AppData\Local\Temp\67427fb698bb1e036aae96af5d72cf03edeff0b08946c48ae47fe4b4f3c9fc90N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 5.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3336-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 34ca04c95912b1ecb3d42a3790404d69
SHA1 2dc502f79b9820d3ef85af2929494cd77070f5ae
SHA256 5eb2088b0370963c8169c6d6f2f9060a0b101ed2aaa848e34ffddeb2188a8d30
SHA512 411f58bf78d2d29a63ffc599cc897d38c14f1be0d2dbb6ccc2669280764be4a956762d770d302ebfba70c6ef1a7d7c431c4c87505c12ff0dd0464e07fcb7956c

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 c8ef7bde76f2cdc49d78ed1d9f51ce0e
SHA1 618c8e73e4b799b863e169d0c647aed3f64f834c
SHA256 f9f3c68019030bb4e3aba53509700171fc2992073167666a3fb050f7fdfb0add
SHA512 a6f0f631467dc6f06cfb012401463103a60cfc9ac7ffbf51b75e3e7b771fc38de2a1f1566231f46c654e079e421f5fbf68b85ce19c79d8ec54557186b1462d47

memory/3336-784-0x0000000000400000-0x0000000000408000-memory.dmp