Malware Analysis Report

2025-01-22 19:54

Sample ID 241016-ztvsrswdnk
Target 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N
SHA256 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66

Threat Level: Likely malicious

The file 14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3559) files with added filename extension

Renames multiple (5019) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 21:01

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 21:01

Reported

2024-10-16 21:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Signatures

Renames multiple (5019) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymsb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemDrawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfxswt.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxhelper.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7es.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\amazonredshiftodbc_sb64.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Resources.pri.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4532-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

MD5 d7769ffe76a67b359ef1fde335d128bf
SHA1 3d3afa8133032a2ff5b568b95146793f5375049d
SHA256 25631f4d5d06506130b3c36087131622ff38018ee1e2db595943e67422f7c8b2
SHA512 c4d972c1c45b5839640cd22a32ead1c596ae327a453737f0ecca95fcd6f1078579a326c10eb3042f1b171412ebe7a0facf9466af9a5721bffb9f0d1cbf064e25

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ed8b176620e0f29239ce09999cc25262
SHA1 a1da9740b3f7ba12f0646a4a2b95cc3bd0868791
SHA256 aa2153e8e9e98295b24ab5991e7c67e9220cbb460c3b3cd671194364649f8583
SHA512 61f253a2870860d5519da44d4f96755d9eea46732dce42ed71e26e9cf0ae4fa10d950d62f2eb906d9a060ab1df634779ab66ef386802e6eafa5a4ef7c9185a38

memory/4532-656-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 21:01

Reported

2024-10-16 21:03

Platform

win7-20240729-en

Max time kernel

150s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Signatures

Renames multiple (3559) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_few-showers.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX9.x3d.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Brunei.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.Speech.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Mail\wabimp.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\logo.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libripple_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbytools.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Swift_Current.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Mail\wabfind.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\tr.pak.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Manaus.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Sitka.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Baghdad.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\libaddonsfsstorage_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.css.sac_1.3.1.v200903091627.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe

"C:\Users\Admin\AppData\Local\Temp\14c220f4f834621053b97be6e834991f1e48a129b673a74005fae47954670a66N.exe"

Network

N/A

Files

memory/2004-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 1d162aae212bed7a19936fd536b6406a
SHA1 901091b9a486c2e47aa1d2e3e23552a6f1fcd9a8
SHA256 e5ee9adf86b2e4863e92c4a5e4c17f58fc8ee60d52487b86984003ef94f8353f
SHA512 9bbd6dc322b45be91e72430d5f2a3a3749663831ae1da822e594ecfc8794989c7c52cab4b89e3605ef3abcef1557e8b4b1541ddf0c3a52518b97ebc707e46511

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 af04924ecf8b53cc83889620c94cba83
SHA1 188e1e6d3b31cf69834a936dfcbd54f053bd6431
SHA256 c0daebbc55f871d1ea5c58b0ef7a6d96acc20330cf9579f518351fd6d7e4436d
SHA512 26f640c6b8ba933eab60bb6c0174f24bc6f08230e2f78e794f08c2796cc67ab7bce61fe689c965747f42a1ff3a6f0eed381df852a38d32a87ccbf018b3629c28

memory/2004-68-0x0000000000400000-0x000000000040B000-memory.dmp