Malware Analysis Report

2025-01-22 20:16

Sample ID 241019-z1dg3a1dnm
Target a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN
SHA256 a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450e

Threat Level: Likely malicious

The file a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (2094) files with added filename extension

Renames multiple (224) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-19 21:10

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-19 21:10

Reported

2024-10-19 21:12

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe"

Signatures

Renames multiple (224) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\id.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\pt.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\he.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscat.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Sand_Paper.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe

"C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe"

Network

N/A

Files

memory/2172-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 ffbf25df46ec7f7f29b54a5723ff0ff2
SHA1 a140a4b6d22fdfe04f42c38a160798242b1401f8
SHA256 557330b843d2fec21a3489ca8a47a9ac88da494fc3de02445843e292c017e41b
SHA512 cfe363c639c4193adbdf2515d80c78f52c399f5d086d337314142845acf3abececd5e7f16ac549c7a2997ad866bbac4b99cbd4af2cfdec324a9a3607a233d8ff

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 6c1948b0473404c7b829221ae83e7b13
SHA1 d1bced9abf1482799622d500118cab653d620f92
SHA256 063ff3125cb96a248e46a93d4f3a10e6c27af943e19c86275a70536384644f6f
SHA512 c290a64a0fd56d79088e03b6fe6dbc41b189206f1d44e92535f5804ad7ad45f70de682932f91a572cb0c30de6d19d6cf6d32532ccb7b6ab2148a699d3eb8cd41

memory/2172-18-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-19 21:10

Reported

2024-10-19 21:12

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe"

Signatures

Renames multiple (2094) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Resources.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\pt-BR.pak.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\bn.pak.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\7-Zip\Lang\ps.txt.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe

"C:\Users\Admin\AppData\Local\Temp\a180f37540604490f3e4dd2678098ad1e8fcf83fd1ac4ada2d0d4f2c68b3450eN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3472-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 c2c604a8e535a8ba198587b7997fca86
SHA1 58873d3c8b8fb240c087918941a679aeff839bf2
SHA256 ec096b01c3eb5622579f7eabfa24cb58a95ef773f0a4531a2cce47f3d70030c2
SHA512 86dd12fce3f7c8e971dd0fa8cc666afc63f49273c38ffb517c4e7f1886f3fcaaa3469ef844980b8846bef58ec5122f780b275c51b709af30720bd0179dcc5ab4

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 6ed4680f30bc2ddd866899d5a3fddc00
SHA1 eac625a446b436c41dfc68be85062af691734059
SHA256 b3cb9175c4a4147855c5d32072910a1ac536e30b98aeb2367d088930b834c654
SHA512 6135b249fbf2c9f00c0b8ea2630986a04f2176c8d45e5f06cc772dcbfac5e68350ff15db966c1ed7e631fcb9669c588f36a72b8c06053bf20ea218eda65e4779

memory/3472-430-0x0000000000400000-0x000000000040B000-memory.dmp