Malware Analysis Report

2024-12-07 10:01

Sample ID 241114-ebjybsvajj
Target e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b
SHA256 e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b
Tags
discovery ransomware upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b

Threat Level: Likely malicious

The file e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware upx

Renames multiple (3151) files with added filename extension

Renames multiple (4755) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 03:45

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 03:45

Reported

2024-11-14 03:48

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe"

Signatures

Renames multiple (4755) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-profile-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\nio.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\mashupcompression.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeush.dat.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\.version.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Modeler.UI.rll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\wxpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe

"C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp

Files

memory/3956-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

MD5 03dbfc1d84c879ef36e064728c07c0c2
SHA1 8b1cb8b1a697381fcaa6a3054e09653faa40ea8b
SHA256 f4ad00b4dd15c8ba28a37d2e6fbb48a6dd7c516481cf7ced098631ff6dfd2cb6
SHA512 4e2ca0d3a17898c389122d02c47e79bc2457a1fb95cb65635e954b882cfa3a2e3b413c7df9f3864fe125b42387ebe6bfaec7106ed143a389e927482127102034

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 4e7e88e7c2c4d042c2f9954d1be13ec5
SHA1 5c5bfad0d42eddae5c5c58d99dc66c6a445d550a
SHA256 25f5839a08f938abc97cbbc093c853d63fc7ea18a30afdfcc16132a780592b02
SHA512 5319b1199e657dcf722c84d64be3236b746da2999e0ede7fcc79ad79f17877f8f86d68b044651985d1dc9f9b99099d9658343715de4efe977aac9858c98b6cd3

memory/3956-655-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 03:45

Reported

2024-11-14 03:48

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe"

Signatures

Renames multiple (3151) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Vienna.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\host.luac.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Tell_City.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Internet Explorer\perfcore.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Selectors.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jdwp.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\HeartsMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\El_Aaiun.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Seoul.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\MST7MDT.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Cairo.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.IdentityModel.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CET.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Whitehorse.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.DirectoryServices.AccountManagement.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Common Files\System\ado\msado25.tlb.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Internet Explorer\F12Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe

"C:\Users\Admin\AppData\Local\Temp\e79a1c9027920d63462037617adc802e3e43d37d34a160330ffd3ea1c639469b.exe"

Network

N/A

Files

memory/1060-0-0x0000000000400000-0x000000000040A000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp

MD5 2df542a7f00e907688ffbc7eb012c4cb
SHA1 2d836dd18f9396136359813d54788a7eef90f862
SHA256 32a28c535045c719dbc231a05fd26efeb5c52534d9666e957472d5356ace1c7a
SHA512 08c21a285b9a1bc46e1cf63f1fa67bded5402a59c13ce7808c2055de83d4ff09867a73ad304db1c295d3650255fed7952e666329b44cf926a041213bf20fe355

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 5458e038025b66c6cdc895678216e7cf
SHA1 8bf452011a2144227191c56ec374c6dfc8d242ff
SHA256 b25ae922d4a006be56d5080216b689acce9f656c944e2de53b4eafb49fc15d9b
SHA512 3a763311d27e5c760b0c02ef8a784b355e9b2111bb0be7955386b1b84fad747423b6ea4effa05318476f4b003c9d9f2594826103712f4973fed6ad85b242b83c

memory/1060-63-0x0000000000400000-0x000000000040A000-memory.dmp