Malware Analysis Report

2025-01-22 20:15

Sample ID 241019-xv8pxashrb
Target a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N
SHA256 a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3

Threat Level: Likely malicious

The file a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3068) files with added filename extension

Renames multiple (4332) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 19:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 19:11

Reported

2024-10-19 19:13

Platform

win7-20240729-en

Max time kernel

120s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe"

Signatures

Renames multiple (3068) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\pt-PT.pak.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Accra.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Paramaribo.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\it-IT\Solitaire.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Warsaw.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Apia.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.Entity.Design.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ho_Chi_Minh.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\title_trans_notes.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.Contract.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationBuildTasks.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santo_Domingo.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Internet Explorer\pdmproxy100.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\AST4.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre7\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe

"C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe"

Network

N/A

Files

memory/2780-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 da3a135c56e1c98e4d8feac1abdff075
SHA1 51e18acdffa4568539fd34313bb8481f0e9b9b4c
SHA256 44c4c9d36b291fb66005c4d94a835dd985236e433b39fd4b1904d9b4f16b7b74
SHA512 ca86611ba1c1ea90a53355af85ca767c45339ed29a65175d013d11100b0d70b3fb179f6a2812129a3c2324afcbfd29b0da263a6826097aa900b0c6d69379090e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 a40a1e2ca2c5fcc991553b914bd5fe38
SHA1 76a28cfb84f4fec147c20e114039e14c1f97d52b
SHA256 ec0a58d922919112c4e7beb615098bccd492ee683064de966c93c152314507a1
SHA512 82b2aa3abfe33503965f6ae68f61a0c53b887dea623a3573293414e4cbfc66414d79bdb0710db9d35c47d4ce89f4f2ced04597041efe07ddc324521f500f5716

memory/2780-68-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 19:11

Reported

2024-10-19 19:14

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe"

Signatures

Renames multiple (4332) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\wab32res.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre-1.8\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\AddConvertTo.xml.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordaccore.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\instrument.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\resource.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe

"C:\Users\Admin\AppData\Local\Temp\a9eb6242676eed8a7034a5ffcc5ed82396f6f7565e5e8b4e972ab44a7ea808a3N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1144-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 040cd1de5eefce9040b7dc1bca7130e4
SHA1 f08eb54f45b0e736a76365356db2afae44ed6ec1
SHA256 4a5da8a627c7d32e7480d8b4ff5fb5c4b0a02a07d0ca3196caadf5a9d1c7921c
SHA512 c8e5564f6e7de30584451545cbe668eb8d062112ad579337110f3f362b643ea3d2a8d78610dd8f882429808d9965f01df5b1bc4f5a827d177a5c08b92cef8bb6

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 b4be480ec67eb5e9c7388034feecc4e6
SHA1 6398deb4f8b1f63518c5b4f028ca8f985e674ae1
SHA256 505deb5aaff7f4749d72e55290074c82dd38a36b793751cb8f72b5ced030114b
SHA512 14a3961c17058df51a0bb223b7c13edef2bd049edde736ed349ea39538424ba8f28307d347ed9071f2ad69b620d783f384e0907fe43075c2a46e19bf9261491c

memory/1144-666-0x0000000000400000-0x000000000040B000-memory.dmp