Malware Analysis Report

2025-01-22 20:09

Sample ID 241016-xdjpfszbpl
Target fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N
SHA256 fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216

Threat Level: Likely malicious

The file fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (3487) files with added filename extension

Renames multiple (4838) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 18:44

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 18:44

Reported

2024-10-16 18:46

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe"

Signatures

Renames multiple (3487) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Media Player\WMPNSSUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_right.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre7\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\TipBand.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_foggy.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\picturePuzzle.css.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libnfs_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Journal\InkSeg.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_http_plugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\7.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Moncton.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Beirut.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Budapest.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\alt-rt.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe

"C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe"

Network

N/A

Files

memory/2136-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini.tmp

MD5 573bfd175dfe7fb8b2f5e721d15cbf10
SHA1 5cbde6c7a0c44c72533d7cb181e28b2796ca8de5
SHA256 e85d150e11f30cfabc19d78695ee097694203a280645cf915e26197d4038ef48
SHA512 84775733b59e0dc4d41de9a99532d3fe51b88567a4ebbc62bd936262b00ea2fa6b69f9f85b25cdfc35ef926d3686a40e501a19d6c46147d1ecdd0bcc29c21a8b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 0046764f5522b74873f86a4e0caeecb7
SHA1 8928d10c8b55d843c12f346bcf860a3478fbeac1
SHA256 5900ffc7a698aaf46a212a5cf10d273f3a958390e61c8f905647949b888f4408
SHA512 dc07635932b9b5f90545860e281009a247eaddc6594a3fccd29a03984afdddb16a73a84fdd156dc014b3e7532a1b2f18163f44d5211c873198ffb85bb8237ee6

memory/2136-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 18:44

Reported

2024-10-16 18:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe"

Signatures

Renames multiple (4838) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcer.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.RegularExpressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OCSCLIENTWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mce.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.JavaScript.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaosp.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_en.dub.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe

"C:\Users\Admin\AppData\Local\Temp\fef2d1c8ccb75f3324f7eaabaf07d3f683664b40f3f0cf0ceffbb3834733b216N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1532-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1045960512-3948844814-3059691613-1000\desktop.ini.tmp

MD5 cf43a0ffad890b84e8092e2fbcdda2f1
SHA1 95348f6a4e883f647a805d759832df7c9b13dae6
SHA256 2b4b06cf5ca2ed556a93ac43d59cfb7a3eb84e327fc017cbcd3379291ab15695
SHA512 37bdf3489a6adee50ae849d730ccfaf63c8615684e7529647817cdda82e1fd3f2db29bdfd116fc7437f3dd815ed92d62e28569aeb35d49097e102d75532b0e9e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 fc19dfbff7d9a6bc0aa136363a99fb9f
SHA1 e2ab21bde435623d993f53be0c57a5c523bc70c2
SHA256 c1c99a6a4763b0effe2463bf55265fe4d83cce71ece4dafd8f3f989c4635906d
SHA512 ff82c0805855c11932085d7fafec744d389e09004bc164056c8bc7dbd2b34460b7d348a6e6d665bcd5175de9ad3155871dd1a22f0209a88578984b20a031c2eb

memory/1532-660-0x0000000000400000-0x000000000040B000-memory.dmp