Malware Analysis Report

2025-03-15 08:24

Sample ID 241020-xmr27awfqm
Target 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682
SHA256 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682

Threat Level: Likely malicious

The file 11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (4738) files with added filename extension

Renames multiple (3433) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:58

Reported

2024-10-20 19:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Signatures

Renames multiple (3433) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_content-background.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Matamoros.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Media Player\en-US\wmpnetwk.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Kiev.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\license.html.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows NT\Accessories\WordpadFilter.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Bucharest.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\CsiSoap.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\Bear_Formatted_RGB6_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libx264_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-uisupport.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Internet Explorer\jsdbgui.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 543f9df81f32d8da1666d976e10f2493
SHA1 72e140b636993f79e5545d365b896fae7d55a81c
SHA256 3b57a6ba4913f353e6c13a36e8f06a823f5f9581e1eee2d78cc96483fa7fce39
SHA512 5064c5902944f7bf8bb72b9cf2afd7ec14178ddaa84d0e027440d5f7faef33cdc23125e90a32d56a833acb4894724111e982846789afb683b3ee1b8f7bad41fc

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0f83283cf6d42faf76b6f76a59e856ec
SHA1 ff53b6c954303618a8d8d069b362b6f41619c672
SHA256 cd0d4b9903a5b31358d730189ab4c860eb12e964df0b88a34ce8a563a69745bd
SHA512 826c760d72ae0c79e02cbd725776ffdc47cdc9d62c698df0f8a80e7ca738ac13a63d8029c818f5f6d5d5e1f07c4fdb95f6b6244f4912b1673ee4ee3a4f5a4bd8

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:58

Reported

2024-10-20 19:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Signatures

Renames multiple (4738) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.HTM.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.DirectoryServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.ICO.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe

"C:\Users\Admin\AppData\Local\Temp\11e68e50686f8c8fab8117708493fc0189576bdb60c31e9f578e6c2fd6235682.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 8c7c93b8a867d07b6f98e838eeb26e58
SHA1 89f381f468c976a10bc5dffed4f031a09a720401
SHA256 84520dfdb54c75ac310e819b1ab173fdc43d36e4c2f3457d4b5aa17f7369da5e
SHA512 70ffb48b463ea785c5151aec6119b83119cec2b3158270c672fa509afcfe9ab858155f7fd6c29850b895e911f58f9a5fd5be9b30e443d889158f23c7cc1c4468

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 855de519365d18b43a31c0ac171abb12
SHA1 52c8e13a8850c5a805b725d7182a8b23e4985d68
SHA256 ee3efee50898288b16acfd0c4ec27ec7d224c6290ae7df8cb323d2a920ed8dd1
SHA512 a1e43dc959bdccfb420b4c690cd5946840d6697c1a657edebccb3f8a8588445c68f63b06596a384be4ff8331045f70b559651a1e7bfe1765fdef8353862b8513