Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n4dfpa1py6
Target 8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f
SHA256 8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f

Threat Level: Known bad

The file 8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5207) files with added filename extension

Renames multiple (5332) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:56

Reported

2025-05-29 11:59

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5207) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox28.tlb.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\thaidict.md.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sspi_bridge.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdfmap.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe

"C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

MD5 898489f84a8a186209888f6004475002
SHA1 0119ee430ad48d6dc468ebbfabd1d1c8306192aa
SHA256 9d2ef967a594f8ec4fd04fdee0ab444d7ee1da1b39b8cb416f78f8a24eb78303
SHA512 f6556df7a1ebc2d1039acba64f629f19145d48ace4c5d54ffe1d24b68ecdce33865bed017a481ff58b043cbac7f3c2c1c2c201d632c179065812d5f55a57b1a4

C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

MD5 9d31f6f7cbeb2f0716cf0440938ded12
SHA1 7d41764c24f9ce49934712beb0650991d38ba82d
SHA256 282dc2a4c7bb1043ac876d2da660383d7e6be3b28f9f61d7c1e8747bde688c7d
SHA512 8f267b401a48ed1931d376b2ed772cd003c363ee0808f69c449454123c87cdd2e711b56ba2fb11ae1809935dd0cbc7b3c115972537dce502657c73fddd1074d7

memory/1596-799-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:56

Reported

2025-05-29 11:59

Platform

win11-20250508-en

Max time kernel

150s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5332) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\lt.pak.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libffi.md.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\APPLAUSE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.MSOUC.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dynalink.md.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnOL.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe

"C:\Users\Admin\AppData\Local\Temp\8a6bfb209fd6d7f9544561a2c6e6c7eebf7c5fdd69ccd61016d510337abeb87f.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-3687046934-3833731302-526866946-1000\desktop.ini.tmp

MD5 285b5ccabc97b6c44482cf1abf8abf4f
SHA1 8810f1c797daed9817e57dfee2e78c1d2649d072
SHA256 740a3d0a3b866416ed25baae07e8efbf2c2235a886cd3c19b69d4b8492ead4a8
SHA512 64a8238bf3f9ff3d2d96a9759a03a2f83fa5ce65203e77592fe0808e9163063a84faeef1212ca914cff9618670e16664739f7265cfbcbb696798f565be7836e6

C:\b9147e4cea9b95b6635d\2010_x86.log.html.tmp

MD5 533e2be25727e149befefcf3ea0eeea8
SHA1 472fcd9e6c77aab9f4f8a04ee5fb8932923a1750
SHA256 94521ba766d37ed98da8eafa61607f615f6871a4bece04db1e302ec91e2f575f
SHA512 d43c8e3d9281ccd8fbf2459245cb9937d1d2c383fd880393e6243771cb896a137e47c84078b22b9434c44a1548bd9919c2a2948ad310b0ef65c6b3bcb2ab5967

memory/2104-1137-0x0000000000400000-0x0000000000407000-memory.dmp