Malware Analysis Report

2025-01-22 20:16

Sample ID 241020-ahlchszarn
Target a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N
SHA256 a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379

Threat Level: Likely malicious

The file a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (305) files with added filename extension

Renames multiple (4577) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 00:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 00:12

Reported

2024-10-20 00:15

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe"

Signatures

Renames multiple (4577) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxcompiler.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.Annotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.TypeExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jabswitch.exe.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\sv.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\deployJava1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe

"C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

MD5 3fe257259416aadbb845a701673d3ac3
SHA1 8c59585eab1d7954cda57aae852776e189a90a51
SHA256 a9209e7b284df387573f96cccfee44fefacdbe6179ccc38fc9418536c760505b
SHA512 9747d28cfee65bfd76de9666719516f64daf5bc24738649a3736b1a9b9580b58e682697ce40b45e8864c46c23cbc5dfa03fa3bdcadc854b951dfc8cfbf889204

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 8d7694ba0cf3d95a912174226c0237e2
SHA1 6d4a37742d26b46d2c0cd60e925cf0264b6d5174
SHA256 f8948fe0869fd7cb8fbea153f15653a004c9eca8d1a18bc1649a0418d0426774
SHA512 33ed906f33e5859140fb9297f6fb8bfca130094dd0d9bc1970b9bf42b91ff827fa6e98186ed7217744e84f4e9a9c13fae4908810e8734de8a40d3ef54b8d9174

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 00:12

Reported

2024-10-20 00:14

Platform

win7-20241010-en

Max time kernel

120s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe"

Signatures

Renames multiple (305) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_babypink_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\CompressShow.xsl.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\it-IT\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcf.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\msadc\handler.reg.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\mr.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\DVD Maker\it-IT\WMM2CLIP.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak.tmp C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe

"C:\Users\Admin\AppData\Local\Temp\a38e81b0993e6c94b0648782dc5e7aadbdf3a4b0997b2fb832c235aff8b92379N.exe"

Network

N/A

Files

C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp

MD5 617cec3ae371447ba05e280dce5d20e2
SHA1 fcecb46eecfb63255e6271d939594998e3486d5d
SHA256 3115ef29d955d25e8f225dd68443f8b85f932d4558c6cd5534d2ed7eb033dfba
SHA512 b8a00b7323bd28ff067724a7da311b50f41fdd5fabbff9f7d6ed9253a1c8830c5a296bce31b5026104fdf76507a649805de4fd25188de406150b090ca91c7619

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 6c3f0dc1e2826a8ec6e3bfd7a175d364
SHA1 c2e1ee5ce91e62773ba84cbf7fbbdacd76d84102
SHA256 fa6e33f032d40a88610283460206d3456ec4477144e2768a3bab3c97ccd5127c
SHA512 51b629a15b9e7c7a3df20b41e1d89192d67b871a761b23c14e36ad157283f9ed127426fcb6f872f381aad8701d59e063821a9c3f739154678acf452c1454931a