Malware Analysis Report

2024-12-07 10:18

Sample ID 241112-zms1la1dqq
Target 05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe
SHA256 05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916

Threat Level: Likely malicious

The file 05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (332) files with added filename extension

Renames multiple (4533) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 20:50

Reported

2024-11-12 20:52

Platform

win7-20241010-en

Max time kernel

120s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe"

Signatures

Renames multiple (332) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-bullet.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Pipeline.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\PipeTran.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_200_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\ConfirmMeasure.xps.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\directshowtap.ax.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\ShadesOfBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe

"C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 561fd6b4dd43d4a618064fce0544bb0c
SHA1 073828f99bdb7c807b07dd337810cefb83a58d20
SHA256 d63f112f80f0b485078699eb02f4d36e4e6a79fbebc8244034b00a92fbada9a7
SHA512 71da635aaa5901f4539c3ad4d158cf2e913035b1efb5a6e6799ff42f2411f5cdadbf4da697c5428944653c0804e7c68cdeab38bd4ab9810ca35a9cdf4505f2bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 70499c0911ff3e5e801fedfd2fa44f07
SHA1 037643659ee88c0a590a3cd64fb7400b120e8003
SHA256 8831c1a172aec301e5833555a6e08c47eb7da34c37a5e893d1b1fd6915d7c7c7
SHA512 1623c69dc6a4babd9fc654d49301b7a9137cd9d1ee00af2ee300d0e8dce9c806e31dca0aff54fafd7902c0f8e087e175d294894915184847ed69d46689f86981

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 20:50

Reported

2024-11-12 20:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe"

Signatures

Renames multiple (4533) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Internet Explorer\ielowutil.exe.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Retrospect.thmx.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jre-1.8\README.txt.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe

"C:\Users\Admin\AppData\Local\Temp\05d242397205a63136afdc8922b982fae9db07fac30c401254381dcc8ec9a916.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp

MD5 8277ad595631f0e0664b3e5b91c94abe
SHA1 279f3a23c51f2d6ec3db1b557a8b355cf3e7cb3f
SHA256 ef93025e443c5fe769246818d458ffd38dcf323c1e6e86257b957d5b79f14e2c
SHA512 254201e2a3d95a465b7d657f65d8b1b4499db4b9a01108146a19475fa89bb1ef5773f540819a9c8a773381de752fcbcc8252dbc7172e82ed2de4f44bc4d764fb

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 26999cac31c5ff641cf8eea76ad292d9
SHA1 f4a4e8d8070b8bf8bf6596b7391109c638720866
SHA256 29d11e5b43d649dfe14c1aad454af3373855dc270ffe39a5fbe83bf4835693a3
SHA512 72d003d740ef12fb4f72130b02a13b55e81a95ac079dc85fbc81995653fe79c58a5c5d2367302369f40da6e0d22a8532acb17dc589ca9613d7fd0de7a39142fc