Malware Analysis Report

2025-06-16 06:30

Sample ID 250515-h56wqs1pt8
Target 3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb
SHA256 3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb

Threat Level: Likely malicious

The file 3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5154) files with added filename extension

Renames multiple (5029) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:22

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe"

Signatures

Renames multiple (5029) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.cpl.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CHART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeWord.nrr.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql120.xsl.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe

"C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe"

Network

Country Destination Domain Proto
FR 92.122.219.83:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 d491d13b09b12ca4297ade5a12144804
SHA1 a6478756eb8c99cb04f4a091655d4926a5950565
SHA256 c70c6c03aa769ecd490d5db44619e38598737100cf737200c3d9c67e5e1d0cc7
SHA512 a72c5dcae36d26da8cf75ba67437b011c5bc26ab893545018f3bb07bb4e6e44e065bc861b4fd88e66e32e8a1e1bd798e492ae2926e98d8a59169d2ad6a4bd5b9

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 6f17af4191b4eff971e7f7a0114796fa
SHA1 4d916b5e6ff8a5572fad6ec99c97511a7dddd3fe
SHA256 f0fed6de2dd72e7a8eb4a16df9f0798a504ce533607374fa64149ed2c3706343
SHA512 dc55fdb3033d3515805f5d8b6d2f0fc6b0f239520e779c66db6520977bac711b8e810284c28082514ecb90f76d4a977104e95d915e65f67574df344e83a4683c

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:22

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe"

Signatures

Renames multiple (5154) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunjce_provider.jar.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GKWord.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe

"C:\Users\Admin\AppData\Local\Temp\3ff67f2622d80e87879506355aa5640427575f280935a7dc0b5ffd69ebd38deb.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

MD5 822c935421096cae22b7683f27fe7710
SHA1 7ee5fc2813c751b5206ca602c079600980c2bbf1
SHA256 d0d05cf43dde1c0e669e724c5b5f7bd51dedf28aad3a04cbf9fec510269ac5eb
SHA512 a87e6802087684bf0088b87062c559e6fe3d8c856937d6f234ddc4252fd52a245c6b6d4385ef48bcd99b349ad2a62cbf0f00033a718cc7fa77ff49d1c59a541e

C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

MD5 5190b7fcb2cd202e430d362fb4cf3e1c
SHA1 8c948283ad9214a4a3a064a2f2beacb65671c728
SHA256 d79fb2644f9197f9e7f63e2f050024144d41baf8ae64413f074912dc6af8b618
SHA512 e7da698ce42c51bbfe5a108b04b8b2d9808b2e0abdb650ec7b9623e203dc6f649b598f063be45d161db4d85361f7d5a004281ea4c50654261e8673de5f0b6c99