Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-z5e7fswhqr
Target a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N
SHA256 a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66

Threat Level: Likely malicious

The file a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4646) files with added filename extension

Renames multiple (3165) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:17

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:17

Reported

2024-10-16 21:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe"

Signatures

Renames multiple (3165) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\lv.pak.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Internet Explorer\iedvtool.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Internet Explorer\ieproxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Belize.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Mozilla Firefox\AccessibleHandler.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libkaraoke_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Casablanca.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Pangnirtung.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Winamac.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Currie.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe

"C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe"

Network

N/A

Files

memory/2216-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 71fa3eae8733891832404d476358fd20
SHA1 40f0651e468a936fbdc612fe59cd0575777ce082
SHA256 51c7a7861463591cd2d0fb3de743219bb7dfcd984f02e6f3e2df91c74b908fa7
SHA512 69ddd18e9101f4110718a52e6fef87f73040858a6ba011273042f751393dd949764c1ee96f529391df2d99e1957b324703a45c8ebf430cf2764db0ab57402afe

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0a4bd6f3b2df4ee6c72e3c39f82f4209
SHA1 530d0c1d1f2b45acb92a753d16f047eb35f56c76
SHA256 d24437db83d0924e330101ca733541f1fe0c6905af3370a3d888cf27d40c9e1f
SHA512 06a49b0df1cb1490d49b99a1dc0879c8fc8f7fe81ad96991787f37c317f88fa00333ef427748db51ed2c4416b05102680c48716c75d88edb57274e305aee083d

memory/2216-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:17

Reported

2024-10-16 21:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe"

Signatures

Renames multiple (4646) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win7.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\giflib.md.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Buffers.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\OFFICE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Practices.Unity.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe

"C:\Users\Admin\AppData\Local\Temp\a1bb49b9a84969f5bf84135dd96cfcf39b53638c51af3946e506eb323f201c66N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4764-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 5532a182406144a32ec0dbc8afb175b5
SHA1 102c95236afe75478f3fad92e102309323021666
SHA256 eda77f37198f18af7674d6798dbdd1e27fd7535f777aa44c7cf495687cb69bf0
SHA512 f6f1fd059a1b3cb469af036e22bdc52a6e2deba0191e1d0f7d84dfa8039b3535d476f18eaaf85e2be36b61703941af442e9b4ff87d301e7a0facd786c4ee0c5d

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 83d3df184f6eaac20134d0c2400c680f
SHA1 3a494584014760a79b54cca34ed1589a6bee3738
SHA256 dbea88a8e91ce976f2849ab3639e055d259bc6b21be1f28226ecade8aad2c3ef
SHA512 a60a27a76d04e0467052270838604e7feda48a4f92d62cae27cd2fd262efad5bac44af273bc3b3fca579beb8c04754ae0146a6f015e735b6d6420400657105f4

memory/4764-788-0x0000000000400000-0x000000000040B000-memory.dmp