Malware Analysis Report

2024-12-07 10:03

Sample ID 241114-amf9cssbln
Target a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe
SHA256 a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6

Threat Level: Likely malicious

The file a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4225) files with added filename extension

Renames multiple (2714) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:19

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:19

Reported

2024-11-14 00:21

Platform

win7-20240903-en

Max time kernel

120s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe"

Signatures

Renames multiple (2714) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\Timeline.cpu.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\net.properties.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-back-static.png.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\ShvlRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Guayaquil.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\CST6CDT.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cambridge_Bay.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\fr-FR\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-print.xml_hidden.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe

"C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe"

Network

N/A

Files

memory/2260-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 e15fd558fe238cbe6dffcae3238e2273
SHA1 1594ae8cd2162fffc6b742c4068ae5e72affe3cb
SHA256 3c490d254fc054aed94002957ed7bf9d065ad274a5f641b09807022782c0224d
SHA512 08abbf7cacb514eaa6c61ccb67e66cb77bc70196c0efe4aea86b85403ba5b1934f1266322c542b8ace9346b81a3c7f46bbac89361b469b264d354a5544ddaa6c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 ca5523bfc8c290ff6255832693fb8094
SHA1 cf2df5a9f7feb41bf93454d232f1e8ed3fa1352f
SHA256 d6402b4720fb442d00c61c1ddc12a723afc78ec0c51712001e34dc1d756f1586
SHA512 85d8b6c7d6fe65ed6dc4b2b86bf68b664f082523f978d33971cba4e5db4e72509d0debd659c9b15941d49688936ecdf911e95627a5bb923d5e6b2c09dff25a5f

memory/2260-52-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:19

Reported

2024-11-14 00:21

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe"

Signatures

Renames multiple (4225) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Sockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\tools.jar.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A
File created C:\Program Files\7-Zip\Lang\mn.txt.tmp C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe

"C:\Users\Admin\AppData\Local\Temp\a0ee2a7f96dc9d845cb6f4b1e75b79e8488166d898d1b21e4743be009e5a0bc6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3256-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 9597ac0ab4f8aa6f663ee0697124622d
SHA1 a8a80a3c283807a9174eefdc22898e9d42ff90a9
SHA256 3a5df904a2d2be57774e72960d7f9aa904a8c6e98d6db98dcd0046d364ba9ca6
SHA512 88a8dd2fff5a58f4b4b457005c511b7665bdb80d1379e26c65e782f777812fa15d0afdf4b88abe6f24fed11d98974d8cec3ec5819098181940142e7779a9ac29

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 a7be63c5a047624d309749486f435162
SHA1 80396918893b73eb26d3eefa97bb12c17b3315c6
SHA256 c4376526d650b607614ed4a93c9c95ac699e67e54af4ba2e87810901de119bcd
SHA512 1943eb14ffbed9853b30e790ffbff46f74e24a9425e9723dbd83bea62e33a50978e4f24130cac58e57ed826a44886f560204ce7bb19433b5cee94e3174d9dc7e

memory/3256-660-0x0000000000400000-0x000000000040B000-memory.dmp