Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l3rktazrt9
Target 1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d
SHA256 1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d

Threat Level: Known bad

The file 1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5362) files with added filename extension

Renames multiple (5276) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:03

Reported

2025-05-29 10:06

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5276) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\kn.pak.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\GroupMerge.mov.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ipcsecproc.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\sRGB.pf.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\unpack.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\initial_preferences.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe

"C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 ba3ddf321d84d0526f2e018c65d5504b
SHA1 f6bd1d7062211a28c275dedca4aca8f13f3f6b70
SHA256 fe6e9bb563f76aeb52d9cb96e3566f1c05160f7edfd06b938fdc60a6dffbd368
SHA512 2faf4d91cf014a8eabc2a3c44c73ca6eabcdfaa21bdcfc04c72948dd22f218fbf68a5a92027eb56740a3332dd673b07d75a4b1511c8d3496ebb38575b30af336

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 03d9c59692f8be71d784a775ee4754ed
SHA1 8e7f20c875e1a7f1069c1073efcd8bcd44d243e6
SHA256 08e84350c8ec052eea6cc11c8cef1688e10966c7acab37ef58f19358d4d4adb6
SHA512 cc264589d0707c7bbf2ab817c26e4ce9becb2adaf73611b07f527de48ea763547d338bd24786bb906053cba4ac3721e2c81c1ea4dad45199fb2088cca987ebd2

memory/3676-827-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:03

Reported

2025-05-29 10:06

Platform

win11-20250502-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5362) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\am.pak.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointPortalSite.ico.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ja.pak.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jawt.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140_1.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ro.pak.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\nl.pak.tmp C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe

"C:\Users\Admin\AppData\Local\Temp\1538aaf961a3243433f4f52cb5ed586b357daa0fae8e34fffebb04225d87d51d.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini.tmp

MD5 2c6feb9aa35d8f92824e7225aea234a1
SHA1 624a10975f875fa55c7ce4b4a3cbe9641cc5e13d
SHA256 d1a0bb2549d98863571a4b4bd280ad424c190d5c1b1bf736856c75cd23b8d0c7
SHA512 f326dba456321e28e32384582addf8d7b3a72a476279fb3d0bd0a48618fe108c2f894ef6968e52df7778a3a16d845126093147ddf64b56f9576fd254b313fdb1

C:\e62b36dd3cccbd0b2c8aefa1fa8db0\2010_x86.log.html.tmp

MD5 22b673a002e8832b8362b843f881856e
SHA1 8d32af9a6459e772b2ea0e05888cf43d0de331e3
SHA256 36b30e4fc43bbe2fdc134d45eb288ade2a5e33248f6ec91222bf4c4eea144f2e
SHA512 fa8c8760887ef3329258984c918c6c5a9d5118256b5f7d45fdf29d7bde2260151638432d97ed32ed0b465b4a5b334b6444d00a94b1704bfb68320751373da178

memory/6048-1233-0x0000000000400000-0x0000000000407000-memory.dmp