Analysis Overview
SHA256
650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
Threat Level: Likely malicious
The file 816C.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Drops file in Program Files directory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 17:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 17:01
Reported
2022-10-31 17:04
Platform
win7-20220901-en
Max time kernel
150s
Max time network
48s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\CheckpointUnpublish.tif => C:\Users\Admin\Pictures\CheckpointUnpublish.tif.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InstallLock.crw => C:\Users\Admin\Pictures\InstallLock.crw.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\InvokeWrite.tif => C:\Users\Admin\Pictures\InvokeWrite.tif.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\SearchUndo.tiff | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\WaitRedo.tif => C:\Users\Admin\Pictures\WaitRedo.tif.azov | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222017.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\DVD Maker\es-ES\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\VisualElements\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Windows Defender\it-IT\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107494.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Solitaire\ja-JP\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\816C.exe
"C:\Users\Admin\AppData\Local\Temp\816C.exe"
Network
Files
memory/1184-56-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1184-55-0x0000000000110000-0x0000000000115000-memory.dmp
memory/1184-54-0x0000000000020000-0x0000000000027000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-31 17:01
Reported
2022-10-31 17:05
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
214s
Command Line
Signatures
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Common Files\Services\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\jce.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msado60.tlb | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hu.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\cursors.properties | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RESTORE_FILES.txt | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war | C:\Users\Admin\AppData\Local\Temp\816C.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\816C.exe
"C:\Users\Admin\AppData\Local\Temp\816C.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.253.209.121:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.252.118.126:80 | tcp | |
| US | 8.253.209.121:80 | tcp | |
| US | 67.26.211.254:80 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
Files
memory/1972-132-0x0000000000020000-0x0000000000027000-memory.dmp
memory/1972-133-0x0000000000190000-0x0000000000195000-memory.dmp
memory/1972-134-0x0000000000400000-0x0000000000409000-memory.dmp