Malware Analysis Report

2025-03-15 08:17

Sample ID 241016-g1fnbawgle
Target dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e
SHA256 dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e

Threat Level: Likely malicious

The file dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3756) files with added filename extension

Renames multiple (5197) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:16

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:16

Reported

2024-10-16 06:18

Platform

win7-20240708-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe"

Signatures

Renames multiple (3756) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Mozilla Firefox\plugin-container.exe.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyclient.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\ConfirmUnprotect.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Malta.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaudioscrobbler_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libwall_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt_0.11.101.v20140818-1343.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libntservice_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\LightBlueRectangle.PNG.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Winnipeg.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\clock.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\DW\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Games\More Games\it-IT\MoreGames.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jre7\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Journal\es-ES\jnwdui.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe

"C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe"

Network

N/A

Files

memory/2852-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1506706701-1246725540-2219210854-1000\desktop.ini.tmp

MD5 1d5430b67c13cc501866e0e2b6607f40
SHA1 ca4e481e106ae60e10bca43536bba2b4a34d30e3
SHA256 15ddadf8011fe5fcfa9586a57edf8759773ec8fb0f3f9d68428601bc27415a8d
SHA512 a1002b308fa51a3391dd7a8bb9b60f481ebf54ec5aca73bbeddecf32c4c884b5ca2f498c46321613001af1d65906ddf81c1a0893f8584c7a8ae70ffe649c58bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 90dfee430b9e47980172dd5af22038a2
SHA1 82e5d742c5b30a2b5de152c59e595609edd72161
SHA256 be6469d0c8501e9820e6fba0f419530f0cb34b01df83bf480a9f87a8f03752bf
SHA512 151ded377c21993f2f39bf6ce3f67eea61db01a61d5bdea719c4cdba332b56351cab4408ccab07fd5039dc02bd1cd2516409d434d610bd9e4cc23fa4fb20667a

memory/2852-70-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:16

Reported

2024-10-16 06:18

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe"

Signatures

Renames multiple (5197) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Default.dotx.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSB.DLL.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\STSLIST.CHM.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsound.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clrgc.dll.tmp C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe

"C:\Users\Admin\AppData\Local\Temp\dd853aa5bbc68a4acd71309a0298e22c536763b0b75b0697b5eea77d695ece9e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4568-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

MD5 79bfbe3fa2eb7ed931f4b0a557c18772
SHA1 cf94811ac48f6adddfc2c274cf52a4a17dec243b
SHA256 b513fd6f552a9700898fcc53643c7a2e70ee7391f0d99e60b95ecaf5652ded78
SHA512 15c5cdb3a7e041afcedd3e88e0dc76e69e300fee4a488e2ff826ccb6e7710c84c3826e4bae57a1743d936112739e745cb1160368a3cb7f30be3728e94e1f7930

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 f2af507b182719c5edd6e3583c39f45a
SHA1 222c838a912a3f2954f16a7da1852aa9890e75ca
SHA256 2c811491cc3a968d010dbfc4a7e1c43d7e185462b4692787e3ab76b05f073b69
SHA512 86b62dc0b44fac69c3248a70d2c0b7ef9a8f6a4d59b8b288eb0f344f7ecc0717e59376fdfb1da5d485e6789df1c59a2b1c1b4624b5376b623c3810759fe41926

memory/4568-785-0x0000000000400000-0x000000000040A000-memory.dmp