Malware Analysis Report

2025-08-11 01:47

Sample ID 241005-x46xnszepm
Target 26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397
SHA256 26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397

Threat Level: Likely malicious

The file 26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (1781) files with added filename extension

Renames multiple (198) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:25

Reported

2024-10-05 19:26

Platform

win7-20240903-en

Max time kernel

60s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe"

Signatures

Renames multiple (198) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\tt.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe

"C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-457978338-2990298471-2379561640-1000\desktop.ini.tmp

MD5 38524803f0ec196d2670ac8538c24dcf
SHA1 4260e895864f0ae530860a26bbf05156e50a0941
SHA256 9c9657dc2056cdc9bdb83e81872e63f4a36437f488f2d5de9f095a28528db91b
SHA512 290096ebee5744b16caaefba8657013710bde3436b5bd3732d0cac9e7303fb56d84da82ca3fc29653205ffabffbc9f6e54b0c5792e919495d5af562186195b9c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 d26bbbd2e5e78a2ffdcce91424c3cd63
SHA1 3231b0ec9e897da49e6c4e4701977812245f8c01
SHA256 54f32a66d7b522c6628bbb78c27acbe8e54e9e8307f5bd8cf3521bdc93189173
SHA512 792e4499494bf3c53293bb5ce7ce1b7107361e639f6f7cf978f553a6b207120120025fcac2b6690b71ad37105b10ee293306f2fdc4afb7b9e98cb01d235c4b82

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:25

Reported

2024-10-05 19:26

Platform

win10v2004-20240802-en

Max time kernel

60s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe"

Signatures

Renames multiple (1781) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_100_percent.pak.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe

"C:\Users\Admin\AppData\Local\Temp\26923c28ae890904e9b763e8e901cb7d9244836b8fb527be722e8eae0aa38397.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

MD5 df22336120b6410a0187486c6a286d03
SHA1 958ac4eb251820ba5bf05798a2857655e345b92e
SHA256 b419d87b10f808282f08e58043a4b21872252c9dc4ca315f556a2eea1803844c
SHA512 71098d95cd37788273c56daa012ec94778783274028713e976a997d139db56a0febf15fe6b0d94d7716f895c939ed481488858d1acb25671ca3c1c9bfd390cb7

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a923d18221e991905f840812ff66a339
SHA1 9a10ef46b3a4a1d660a9f3b83b6f6b5d68ac63ea
SHA256 e84cc4f65292d40d1e068db15deb10ca17b956d2152f47a97f23a56a21d940d7
SHA512 5764f19cc3b8b03fb288464bdc73c82e8254b5527c50b6e47c332e9585488a8d234bfe8455070f1670fff04cde19291857812a3bdfe757928fdb66ccc546826e