Malware Analysis Report

2024-12-07 09:58

Sample ID 241114-d7g8yathpj
Target bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe
SHA256 bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124

Threat Level: Likely malicious

The file bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3787) files with added filename extension

Renames multiple (321) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 03:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 03:38

Reported

2024-11-14 03:40

Platform

win7-20241010-en

Max time kernel

119s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe"

Signatures

Renames multiple (321) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_left.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Memo.emf.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vulkan-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\ado\msado26.tlb.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\DVDMaker.exe.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSFrontendENU.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DissolveNoise.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_performance_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\imjplm.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\GoldRing.png.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe

"C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 92f44958e8ae1e09605df12a9cbfed27
SHA1 24bd6ef36bc35e0772a0c07a5b3680c04ff91a27
SHA256 b5a86d24b785e46a2cb0accca045add91064353b9a56eb53d2b033f0986219b8
SHA512 2ad9c4095dd3d23e05e2e021eed7a9433436a0f86a97d1d50e53fc85cfbef13f6f2f159b63d1d654ddb44f6cfe33fdc5316b570b3ad4538916d99d03de75c779

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 af7018b7067396e772323272050983ab
SHA1 04d77565116c5542f1a2786febf200761b8486a7
SHA256 422b26fac02b0251d0aa510ddc683edee7871ce5ac03b849ce9bd627eee75409
SHA512 2f0fff84c18caa621485510d7a431b7a6d24ffb747ad3d73853631169564ebc612a65a58bbb1ad267fdd08a4da79cc93b70b03122c04df1bbbe1c4816a11de40

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 03:38

Reported

2024-11-14 03:40

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe"

Signatures

Renames multiple (3787) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe

"C:\Users\Admin\AppData\Local\Temp\bf0f379ed87a76f3671f8627c4cf42dc6cfb420020dca23e653e265685e91124.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 737829be53c58fa5c7ae56da6371eaf6
SHA1 8d2067f998cb3a6b3350aa1002cb468ab87ea8e2
SHA256 76726ace3e2a746ce47cf04192499585a96f2acbeda43964a1069b6b9cc751b9
SHA512 50e8fe2cd50f3cefeb1b18a97a35e1705560a17d3fe2d7cde58773f7ca177d8de2b0117fe61590997e58f77f01405d66821b2590c62f89b02989135301064242

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 11f57d0996b69138657a40d963ebca2c
SHA1 bb1bf24f89e43a12f882e285959100570d5d0caa
SHA256 2a738d0492d5678a1fc6fe7e9e6aec2490ce48906662ec4b4b435b39abe78a3a
SHA512 e26f73046042ed10bf858dca064e4a04d437a8e087a84add6945601302860f818c98508ab1f2ea268b365684ccb20b3f40af1f260abb1abd4ea27ea9f1a468f9