Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-n2tpws1p17
Target 02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e
SHA256 02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e
Tags
discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e

Threat Level: Likely malicious

The file 02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e was found to be: Likely malicious.

Malicious Activity Summary

discovery ransomware

Renames multiple (5224) files with added filename extension

Renames multiple (5364) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 11:53

Reported

2025-05-18 11:56

Platform

win11-20250502-en

Max time kernel

149s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe"

Signatures

Renames multiple (5364) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ProviderShared.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\US_export_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sqlpdw.xsl.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\servertool.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.POWERPNT.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ml.pak.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe

"C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

MD5 b972794b13da008eec7f125a12b1dc9c
SHA1 0cdd373ffa841ef21554acd4a57d14c5e18d91fb
SHA256 164d36309b8a84435d77265f032a9353e26e2f7c2718a3f7f3a07017ea77c7a2
SHA512 00d62b051e67b1306411273f1bdd12424a7470087a92cb6197292a68398637f55afb2b28b26792467e2cef83b38bb373f7c05a36c30a3ce2a0584865ec966f21

C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

MD5 fca47c1cc1fe36606b02442bc3f7b985
SHA1 b57f7a72a22173418162f7a7b11ec0b342d006a7
SHA256 1ef97470f73d4ae6ddbdd951848abcc04a67a4e0b897884dc11ea40e906fbcbd
SHA512 1f6c70976bb5d0b93685094d423971eb903a41ef75ddd61a195fd856b5018e6a3320f3d9808084eda1cd01a6a4f2b52b019f9aa46bb3b6d786cce0211b13d706

memory/5280-1233-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:53

Reported

2025-05-18 11:56

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe"

Signatures

Renames multiple (5224) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Mail.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pkcs11.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaSansDemiBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAEXT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\sbicuuc53_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXmlLinq.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A
File created C:\Program Files\LockRegister.pcx.tmp C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe

"C:\Users\Admin\AppData\Local\Temp\02bf857ff75d7e43dfaa752c8bcb419521179a05288e9f483d63010d76d2c65e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 14ede10ecd222c5a0a82782dcdfcff03
SHA1 3fc3b9a99aa4e6481d8442308e6fa3d7765637a9
SHA256 e0578aa3470683f782d74cdd6f0ad96d30575020cd092b91577a065068364ee3
SHA512 12a75b055f5deb5f784158cece141e9b8d578344274e664e2cd7a5d817344abcc990a6fcfbd3da3bcaf1227c5ea5bce95933d9bc16ff4e269f9a9529230a87ca

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 75888cf135e1dbe1f2970e03c3b1b5a2
SHA1 99d5cb0381b33dcad70c2dd5c228a4369d4b5c51
SHA256 b658670654b3e5ef74bf36b80ce6c63870b09c8aa09bd8bf252b35987b104e6c
SHA512 764e71859fee1e8ba704f048f8e5ae598536d16f53cef801bdf539139bb66ec7bb8f89b641d8ba3cb63d4bca65786796c2a04c8dc1ffb28256f0d4973191f225

memory/1768-827-0x0000000000400000-0x0000000000407000-memory.dmp