Malware Analysis Report

2025-03-15 08:28

Sample ID 241020-xk5khawerl
Target 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682
SHA256 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682

Threat Level: Likely malicious

The file 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3462) files with added filename extension

Renames multiple (4845) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:55

Reported

2024-10-20 18:58

Platform

win7-20240729-en

Max time kernel

149s

Max time network

24s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Signatures

Renames multiple (3462) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libmpg123_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\master_preferences.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Montevideo.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_s.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\bin\jfxwebkit.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down_BIDI.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Internet Explorer\F12Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialoccasion.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 fa8e29ccf0e3f7cb2449fe731c72d4b8
SHA1 2c08cf97307349c6c8acae0c515c6518472695d7
SHA256 33578d174e3aab3c9a5c32d23b88a5e0b448e85f228fb8e5230f4d856b9c11a9
SHA512 b74196077aae5344738b094b540ad5784cfda6189f092520b2cd70620751c10db9932bad72ac958e019bc6cba016923f06e1d10335415b2c55377e8331788279

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 4236638e07321f358bec88c71505734b
SHA1 f9207c02f5a38639b33a7b8aede4a324d429b49c
SHA256 943a2a7fd2dd8e147d006a7de7ff09c9756523523af37c5ad569d0827bc6a266
SHA512 d629ac72723d1899e070a44f5ffe41f434712b1f5c39a115d8cf5b4c78130034643642a597aeadd0790f8ca0257b349737aa8a1f0a86067c802d8a58f691ea68

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:55

Reported

2024-10-20 18:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Signatures

Renames multiple (4845) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINDATAPROVIDER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\WPFEXTENSIONS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\mojo_core.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 1dea0c3314f0a0744d1a7048b96517c9
SHA1 1c09ef7f7b9d1026e2d91828d1d2a8e58dc6829f
SHA256 4196ec2d62dbd3347774ce9456d46633028ff842262095352ab2e829d53cfaa1
SHA512 24ced676388ca6b569a153c08f9488626f6a7eaa87a885e96549ec11685fa1fa92fa13b0c714a357def5f5e83a1d9ac10f0ace0fadde6916a54b9db7a7ccbae6

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9b140e431ace22d53e271e34323cf257
SHA1 c3398ffb1120be0829db90192b908b030093d3c3
SHA256 52d02bfdfa66477a5ace1279f37c53c33afa0ec1ca23a303715d7fed9533565b
SHA512 8943a417d02aeb4c1a3a370720b10155e49a0cc3e04b5cb6c0880566437eb94e0a2a95ad2b2ca12f83e98dc2e6c88f166bed9c37f5adf927212e6c25d3ad28f0