Malware Analysis Report

2025-08-11 01:48

Sample ID 241005-ycs26szgrr
Target 27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0
SHA256 27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0

Threat Level: Likely malicious

The file 27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0 was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3527) files with added filename extension

Renames multiple (5163) files with added filename extension

UPX packed file

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:38

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:38

Reported

2024-10-05 19:41

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe"

Signatures

Renames multiple (5163) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\bin\keytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ru.pak.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\SLINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe

"C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/3152-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini.tmp

MD5 e7a4479703f32dd2b84fbd350306dabb
SHA1 73c0579c065f5a71a0b3db8e9e38f54c2eb90057
SHA256 3d6d68c58b6810e870591f12d7e5ac1292fc68a93f3c3a27ce92c7570bf9447e
SHA512 a1b3310b84f5d8d10545b5eaae17ff177c4f32a7c95435df50754c98292609b1dbd67898569073f96c468085aa877bcf4e5173e690ed31c98ab89c0c98d34eb9

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 1ce59150b56936145681fc60e30f3395
SHA1 0c5f40bdd344420df6e1d839ed27b66fc61c8c45
SHA256 797cadb1fc66d1c29fe2e7e74bf16b88f95e9059a955583f832429baf96771b6
SHA512 6b873508ee74c9a38df113a865ea7fb326d3540406d471f53d58a73445787359a7b9416a1a43272a429731af6d95c092f021bd46dc7889838377fb340cd81701

memory/3152-908-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:38

Reported

2024-10-05 19:41

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe"

Signatures

Renames multiple (3527) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Taipei.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Brussels.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Media Player\wmlaunch.exe.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\DVA.api.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain.wmv.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.bmp.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Berlin.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Journal\Templates\To_Do_List.jtp.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\es-ES\FreeCell.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\main.css.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-search.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Chita.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe

"C:\Users\Admin\AppData\Local\Temp\27a6e753378b70d2da82246c25ab18966fa5fb5e1124cb8ab62b534c0d9555d0.exe"

Network

N/A

Files

memory/2912-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

MD5 6fee170fc1a8d9e0aaa9c6a8ad7bd87c
SHA1 dddbcfe3f55c29c06d41d74341027291ef137891
SHA256 4bd41ed663ab557d01137dc97d8dbf40035116996ab8e606c4f55b1cceed92c3
SHA512 e167a8589a1d7bd70a15a7f8752fc971141773c16e121648528e4051cb0242d69d5dda5315105e8c86a2f3569278ca0e4d605fcf0608182e6a54dc685448d922

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 8a16f495e5d64a60136c1e4faff51ea9
SHA1 48e97c8fa2fdabd43e33e613a1539b2efc8bf69c
SHA256 58f02fa4d20809617dff93c99a1a6477754a061ea9f6722c96712421637e9561
SHA512 15522a591f43edd5e8e1acc3a60bd14e65a293392801bd4a324f48bb71ee689e45cb8b8d11ce203cba024a4c86d2092b32ba282367835c842603dbce60bd946b

memory/2912-70-0x0000000000400000-0x000000000040B000-memory.dmp