Analysis Overview
SHA256
205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668
Threat Level: Likely malicious
The file 205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668 was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (5247) files with added filename extension
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 13:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 13:42
Reported
2025-05-19 13:45
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Renames multiple (5247) files with added filename extension
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightItalic.ttf.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\DocumentFormat.OpenXml.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\UIAutomationClient.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\sunmscapi.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Client\C2R32.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\DirectWriteForwarder.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\GKPowerPoint.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Library\EUROTOOL.XLAM.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MEDIA\HAMMER.WAV.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\et\msipc.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\TimelessLetter.dotx.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationProvider.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationUI.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\javafx\glib.md.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.BackEnd.XmlSerializers.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ka.txt.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\mr.txt.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\UIAutomationClientSideProviders.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\en.ttt.tmp | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe
"C:\Users\Admin\AppData\Local\Temp\205b03b6ac2f31a24c60eece87eb8d2c014dad106a4c907a47d4b0927b396668.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 88.221.197.177:443 | www.bing.com | tcp |
| DE | 88.221.197.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.16.227:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp
| MD5 | b6faa3800f846767320c17c2a39f4ce9 |
| SHA1 | d68a7db86b7011e4204bf623caca2e9ddaa6e6f4 |
| SHA256 | 9693780982c267ae0ec47ef0b4283db6d1aa0d51316d01f74ff29e6f0022abe5 |
| SHA512 | a66977087816ed50185eb3259bfcf8a57168369e44c774c2db05065d3e95d86f2b317a8b9278f56f8a7628e3a49dd0cea070280686cb854475376c8f02e560d4 |
C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp
| MD5 | 687bcda7022f0ef1559b9873ff56d0b0 |
| SHA1 | d385d66b158ce59cd02cb68293b005fbc568b761 |
| SHA256 | f107e7e6757a702911d587ee22aeb8429cb0661f70951da8ab52628d676e4b3a |
| SHA512 | c10b1bf68fffd064afd81f285ad1baabaad6a0762ae9def38a23e28f873cc7863c943af8ae679409b100563e6c7210045c7106d3e85cd68e68f7dd4640af5933 |
memory/5104-799-0x0000000000400000-0x0000000000407000-memory.dmp