Malware Analysis Report

2025-01-22 20:14

Sample ID 241019-ymvczsvgnd
Target f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN
SHA256 f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870b
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870b

Threat Level: Likely malicious

The file f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4308) files with added filename extension

Renames multiple (3269) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:54

Reported

2024-10-19 19:56

Platform

win7-20240903-en

Max time kernel

120s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe"

Signatures

Renames multiple (3269) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\Parity.fx.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Boise.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClientsideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Efate.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\Hearts.exe.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\VideoLAN\VLC\libvlccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Sydney.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\UCT.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libparam_eq_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository_1.1.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-ui_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Istanbul.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Stockholm.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\bin\javafx-iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libattachment_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hebron.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\uninstall.log.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.bat.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\boot_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe

"C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe"

Network

N/A

Files

memory/2224-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

MD5 6410ae84344beb2d747e775996cce51b
SHA1 ce0d6768483eb79bcb703dfc4537e90c14c379ce
SHA256 bb453abbfebb25d986d362eab122c43158c2936722491987adbe22364d486eeb
SHA512 c7ef0978e959be440c22cee84289fa8b75cfc649a5602eece11f67c3d2930b9bb66c8d104ae05fa5a445c9af06a555a125d0f276a3c3aa4cd00661790eb7fb93

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 dc72b817773719dab2455117c38d27f9
SHA1 6720d018b00aac38915419fd3ec14d2e5dc67a05
SHA256 10c09c4899b0fe6af2ec7ec6bbaa8997f6b13e7ade7a04e1f590a3ec6918d1ae
SHA512 e31374f9f6bd1cdcd69bf14a13d9a24b4283f6145c5371c521b4cbdaa9788372752a5dffd1346bca3af753608e9c8a4c7c4888adf973beb5bd58946466d01d1a

memory/2224-74-0x0000000000400000-0x0000000000408000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:54

Reported

2024-10-19 19:56

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe"

Signatures

Renames multiple (4308) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\System\uk-UA\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ct.sym.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe

"C:\Users\Admin\AppData\Local\Temp\f557a3d9dc542d534b5fc525937af92f5278c9d6a6e564fd72ab11e5cc26870bN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1684-0-0x0000000000400000-0x0000000000408000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 810003d2eeb587f488f52a0980c14d2e
SHA1 2b53cf9405ec832c57a3340245969cd3e4672380
SHA256 8ad73c8d746b15c0f9f3e4b841115bb96b0fb6cb06569efe79da8bd3711d16f8
SHA512 bf6ebb40a137060b4f5948570dba96544be345e42f106729a048119a93145fba1535d897549a2e725e14ec1d1783372f1171fc5f46bbad9b7e35ea972c602cdb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 60063a77978ef5c78215e281537a678e
SHA1 1cdd5ac89e94a0e7a201b4df2e7b7e5682e0d7ce
SHA256 9719ac8083b88a19ffaa49f4aa24a8a1812c81481e65a63e2e8cad1001a02001
SHA512 314c660d765a0921e2a6c30632ea51e490af44ab4717accf878650f2edb42cabdf3626f66daef532e45df87007ee4ee08761d75a2a925c7434d44a0d8e3d002f

memory/1684-666-0x0000000000400000-0x0000000000408000-memory.dmp