Malware Analysis Report

2025-03-15 08:18

Sample ID 241016-gyhpwswfng
Target 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN
SHA256 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fd
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fd

Threat Level: Likely malicious

The file 2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3998) files with added filename extension

Renames multiple (5194) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 06:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 06:12

Reported

2024-10-16 06:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Signatures

Renames multiple (5194) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\SOLVER\SOLVER.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Picasso.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nb-NO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\nb.pak.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\ImportSubmit.jfif.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TAG.XSL.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4152-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp

MD5 c8742b127e09868384ed26453b8879fd
SHA1 765b6ac8ef9b3d92f56ee34f6b1218a6a59cce54
SHA256 895f3ac8d98f7621f30c87c88185352621175ca40f56177d855ee1bc71137f63
SHA512 56ef1fdb9d4da04e7c19eba7df8028282caf71bf6a21246edcb4af33eb0a93c9986cfdef2829bf036706b12b2b387fc409814eab70ccf484ea2fe0547024270a

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 96f922bdc11e76ef246217775bec45d1
SHA1 3ba7c60984f939c23a31c57a264c80315a7b0ad5
SHA256 5576d6e2ffb53bc1366d37ce84f939d12b703d59ef3093f977c872a30748cda0
SHA512 2c795ca6d7ad18a81a3b032f5f7118a0ece8a6b22ec167ceb0bd65f37709daa6b6ec5a46c9a204928aef14243b8727314ffa9a763444094de401012d3eacdcb5

memory/4152-783-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 06:12

Reported

2024-10-16 06:15

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Signatures

Renames multiple (3998) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Internet Explorer\MemoryAnalyzer.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cayenne.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\highDpiImageSwap.js.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\es-ES\OmdProject.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Port_of_Spain.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\System\msadc\handler.reg.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libcompressor_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActions.exsd.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Brunei.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libmft_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows NT\TableTextService\de-DE\TableTextService.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Internet Explorer\IEShims.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\WMPMediaSharing.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsdl_image_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\mpvis.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\glib-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_WMC_LogoText.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\COPYRIGHT.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libscte27_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Web.Entity.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-modules-appui_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe

"C:\Users\Admin\AppData\Local\Temp\2de56d1470e1869d5e49c15207da3bbea64e20d93ade0074a475c93eade7d5fdN.exe"

Network

N/A

Files

memory/2156-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 c52d2cf2132776a2a94fc6401cbdbaee
SHA1 07f0c9ca8863cf2bb75c05b5048d3e07a2286d54
SHA256 39cff5fb8137891ac21c409a25f769a7efecb8793ff12206e7d7e478313671b4
SHA512 3add59bb58c833445addc5df7fe51e9b68e2de21b789c4dd456f8dc0c1e39fedd62ac9a2521cde20e9a7b081b573568d3b48fcaa33b3f51034e58c2351eb7225

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f570d6410ccd1c2e246439316cebff50
SHA1 b33656e756bf0137bdf6f65928a6edb9e54947c1
SHA256 c0271b8be030baaab551e8eea1b6f9b6c071d102b3aab4db970bf4c1e0ea5b58
SHA512 586605fd5d391e04c75359f1f9002b1699fba78f8a2b8c1aae6dac27a84f38aa915a80cebdf6b6cb04f3c968c7548a423a662597c22c95fae1c445ecf1cbba17

memory/2156-70-0x0000000000400000-0x000000000040A000-memory.dmp