Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-h56kza1pt7
Target 791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007
SHA256 791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007

Threat Level: Likely malicious

The file 791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5355) files with added filename extension

Renames multiple (5279) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:22

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe"

Signatures

Renames multiple (5279) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\RedAndBlackReport.dotx.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\7-Zip\readme.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe

"C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

MD5 b7e7e2c4f94e6a128c532fbf8637c72b
SHA1 dab71cb30b3f0f9c0d0768bd689fc22d84750925
SHA256 b7f7793bd516998404d9fac92d0a6f04a4a4a78a83515ca3a3cf06eb83a2c683
SHA512 5ca0bbf6702ea15190427556e42fd495ab194580c5c57b74a34f4397962951470a67c7c91e3a1ab61303c21aa58c3a9930cb68c6cbc645c1ca28deda2dd4a86b

C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

MD5 9182f59056d63705e161814f2993c1bd
SHA1 68be55b3b6efba4ec2d65ea5fcbc965c3d3736bc
SHA256 7c7094b87af2735391903d0379fe0b04441c9ef65763bf2c11d736f9a04fa273
SHA512 2c6064ac337610dff72edc942989ccdd64208b796ec6525521f8d5631d4e9681205d108f6f69e0222ecae0a2c3502dbffb57633963b2554f6c34dfafa3473e99

memory/3572-803-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:22

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe"

Signatures

Renames multiple (5355) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\es\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\msolap_xl.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages.properties.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuin53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Blog.dotx.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe

"C:\Users\Admin\AppData\Local\Temp\791f567c8c6c860d4e16010b6a6bfb49d546027bc859dcf545060171e7798007.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

MD5 93cf9aeb7bc03597291fe36d81c148f9
SHA1 ac3b5e7a418a23ddb36771f9ad6db070ebefb6f5
SHA256 d47deae35d06fb487ea3c64894ad929a361a6ad614fe2cba4167f957a2f1c228
SHA512 ec072750091a5feb6e07fe3aa819272773761db720ff0083263d5d42c03c88cf316796f2cac51aa9f7706464f650025fe595b078697f9b025454a8d9ebf06749

C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

MD5 d7373a2007a7f62524c37b260c6e22ef
SHA1 c2f0d7d6f1b1e563db07d4b509ae5ea705477921
SHA256 b01781c470cd7a53bb1defefb4ae85b62d20ac791595ee35ce9f16a6594a054c
SHA512 b008a899af10e8b3c4e40134b198bf799a563d83d4609a6d5f8ca4b69b829fa5f7547ace7820d123e302b41b6e362aa1f21d6d04e6fab81beb00ae8fdcb02a03

memory/5248-1107-0x0000000000400000-0x0000000000407000-memory.dmp