Malware Analysis Report

2025-01-22 20:16

Sample ID 241019-3pjfqayall
Target 8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de
SHA256 8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de

Threat Level: Likely malicious

The file 8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3734) files with added filename extension

Renames multiple (5029) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 23:41

Reported

2024-10-19 23:43

Platform

win7-20240708-en

Max time kernel

150s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe"

Signatures

Renames multiple (3734) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Media Player\wmlaunch.exe.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_docked.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-visual.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\index.html.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\ITIRCL55.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Mail\it-IT\WinMail.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\weather.html.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\config.ini.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Ushuaia.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\jquery.jstree.js.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.win32.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre7\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\PurblePlace.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\JP2KLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Gaza.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Mozilla Firefox\xul.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe

"C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 ee821587b29734404d161a7abc756493
SHA1 27d565998e2e20b0b5ddec1e2c87435be4c71487
SHA256 055d3c101ab1696e65b0b352add87349a1a1c773f859207e011132195cc72cb0
SHA512 43b01ff87c6e5516201b9c4dbfa5c0b92ee7dd29f82923bdb8610516955e5260988df09df3e2295af264a02b85094e3b359ef0359a2947587b58338329d2683c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 c0f93656a0bec3db30e7ee104620ed10
SHA1 3e1196f8f5672b6ea941942ee312445b8abeda8b
SHA256 a2c54cda4410c746edf3198f5557d609f1d99be611e57f650c205de46279f382
SHA512 ca642ffd765084fa6a522ba61a8a0d21f1a2c8001752208bb9e3bd044cea2592e54017ee40194f0edf0f966e7c7d5a7f94bc86714fee11562effd26dc443f66a

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 23:41

Reported

2024-10-19 23:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe"

Signatures

Renames multiple (5029) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcjavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\System\ado\msado27.tlb.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe

"C:\Users\Admin\AppData\Local\Temp\8da25bab56c3766e957723d866ca54ec3bedc2c99128bcdae035c80442ef54de.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\desktop.ini.tmp

MD5 626ea57dc7f91cba0fa9e6073a5f1bc5
SHA1 7b71314ce1fbcf00cd032af5206b9a3bcdf95ed8
SHA256 9823ce5f9d3259e2e6b2af063e29229f0b69a36c98849da681d7d35c7f16fc29
SHA512 c9ced8e48a53492939587cec0d4e5b3596feaff1b1850128983fef2603bc0fe2a3f7628dcfb3b071870e8c27bb91182fe02bd226e42cb71a6e3b0a695021f228

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 512c8185794a1a00c45dd4e495d68695
SHA1 fb290a49cea86b69520fe5a13b05b3cadba6dab7
SHA256 5d83271108bf612d7ba913936c74c5360525f2df0d938f6bf02aa4a228e395aa
SHA512 ffb0290db36f810bcfd177dd1b1b3cc27306b82f0ca0edfdaccf8cf01ca9aec5ca6894beeccc60152a9dbd374f31bba514dedaf7edf15e4917ce2ccf6e836855