Malware Analysis Report

2024-10-18 21:59

Sample ID 221031-vjjkjacdbr
Target 816C.exe
SHA256 650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e
Tags
persistence ransomware spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

650f0d694c0928d88aeeed649cf629fc8a7bec604563bca716b1688227e0cc7e

Threat Level: Likely malicious

The file 816C.exe was found to be: Likely malicious.

Malicious Activity Summary

persistence ransomware spyware stealer

Modifies extensions of user files

Drops startup file

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 17:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 17:01

Reported

2022-10-31 17:04

Platform

win7-20220901-en

Max time kernel

150s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\816C.exe"

Signatures

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\CheckpointUnpublish.tif => C:\Users\Admin\Pictures\CheckpointUnpublish.tif.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File renamed C:\Users\Admin\Pictures\InstallLock.crw => C:\Users\Admin\Pictures\InstallLock.crw.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File renamed C:\Users\Admin\Pictures\InvokeWrite.tif => C:\Users\Admin\Pictures\InvokeWrite.tif.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Users\Admin\Pictures\SearchUndo.tiff C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File renamed C:\Users\Admin\Pictures\SearchUndo.tiff => C:\Users\Admin\Pictures\SearchUndo.tiff.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File renamed C:\Users\Admin\Pictures\TraceCopy.png => C:\Users\Admin\Pictures\TraceCopy.png.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File renamed C:\Users\Admin\Pictures\WaitRedo.tif => C:\Users\Admin\Pictures\WaitRedo.tif.azov C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222017.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\DVD Maker\es-ES\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186360.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\MahjongMCE.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Windows Defender\it-IT\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107494.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground_PAL.wmv C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL11.POC C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\ja-JP\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions_Response.css C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00807_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0305257.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Lima C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ulaanbaatar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00444_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyLetter.dotx C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\816C.exe

"C:\Users\Admin\AppData\Local\Temp\816C.exe"

Network

N/A

Files

memory/1184-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1184-55-0x0000000000110000-0x0000000000115000-memory.dmp

memory/1184-54-0x0000000000020000-0x0000000000027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-31 17:01

Reported

2022-10-31 17:05

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

214s

Command Line

"C:\Users\Admin\AppData\Local\Temp\816C.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bandera = "C:\\ProgramData\\rdpclient.exe" C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Common Files\Services\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_mac.css C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_ja.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jce.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\WidevineCdm\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado60.tlb C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hu.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.165.21\MicrosoftEdgeUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\cursors.properties C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\RESTORE_FILES.txt C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\816C.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war C:\Users\Admin\AppData\Local\Temp\816C.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\816C.exe

"C:\Users\Admin\AppData\Local\Temp\816C.exe"

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.253.209.121:80 tcp
US 67.26.211.254:80 tcp
US 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/1972-132-0x0000000000020000-0x0000000000027000-memory.dmp

memory/1972-133-0x0000000000190000-0x0000000000195000-memory.dmp

memory/1972-134-0x0000000000400000-0x0000000000409000-memory.dmp