Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-h56wqs1pv2
Target 7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981
SHA256 7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981

Threat Level: Likely malicious

The file 7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (3021) files with added filename extension

Renames multiple (3205) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:23

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe"

Signatures

Renames multiple (3021) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\profile.jfc.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Wisp.thmx.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\splash.gif.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Internet Explorer\ExtExport.exe.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe

"C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe"

Network

Country Destination Domain Proto
FR 92.122.219.104:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini.tmp

MD5 5116df90a339a96989ac71fd25c143db
SHA1 a90b8cf17ff6da0fd552dad5b29568a44471a097
SHA256 76736ffca644d9fd358981bc31141e4d32b7c7a943598c0f50adcb27a76d1b7d
SHA512 50c89f11e555f29126cb2db27dd2b6f36ee4319be7bd1c8d45b6842fff7177343f4ee476a8c99ce6e038db0803b3bb6aea67e518ad7f06cb168a928154597767

C:\f32c6debfbe15d219b06a854\2010_x64.log.html.tmp

MD5 5b2d5474d68b2db0d5194cf8ee72ff89
SHA1 5b86175da30270320257107329263b8c7ed0000a
SHA256 16fd192f9552111589d2277f12f3fec00b81b0bb9270f05f4618b7ba07aa467d
SHA512 6df9baad25699187d404014dfb157a784b7706b6653673933768dfb3a67c7627aa4dc1c92142bfc973afd73df9142aeb64d0026b3e4057e0a11970f1ef74aa28

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-15 07:20

Reported

2025-05-15 07:22

Platform

win11-20250502-en

Max time kernel

150s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe"

Signatures

Renames multiple (3205) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\JAWTAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fi.pak.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\lv.pak.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe

"C:\Users\Admin\AppData\Local\Temp\7b9536e0c2d8342c3091c372733088764bbf241a89d6d64a07a711a315ff2981.exe"

Network

Country Destination Domain Proto
NL 52.111.243.29:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-1283078542-320785498-2248628612-1000\desktop.ini.tmp

MD5 8324d15d6ef09bd204fa32c9a3e8f52a
SHA1 a135f494418dfb85b7d6054316c029ca4b1c47ff
SHA256 0cb9ca190b601cde7b8b320e856117faa2950458fc00cb144fa0566777e6b208
SHA512 b3e537b20e1b44b233440d8c81952995f433677e0765f1033de7c2ccd400da9374ff2d444de0018c10636f356177473ca96f8b09f2207a8c597f6615e41b8d0f

C:\caf455ed4ae411b0ba0aa2\2010_x64.log.html.tmp

MD5 4184a8f44d758afd6fa68e30dec4954e
SHA1 3e66e55455a882ac005705aef2e1853a0035acfb
SHA256 3835b0438469f92f1f91b9a851f36502c9d1c630bbdb84402e7f1600819c0bd1
SHA512 27c0a743e1803f4fd79c2baa10b29473fb98f2577de8051a837813b0f153c027d8a4b5374ca82b637ca4ab6767762000d97aba95e9911a2e87efe3216539bc69