Malware Analysis Report

2025-06-16 06:24

Sample ID 250529-rfaxfasvgs
Target 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761
SHA256 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761

Threat Level: Known bad

The file 420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5285) files with added filename extension

Renames multiple (5204) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 14:07

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 14:07

Reported

2025-05-29 14:10

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5285) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYM.TTF.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\id-ID\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\EnterSuspend.mp4.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.tlb.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.DLL.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\TimelessResume.dotx.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCONTROL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe

"C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1454956602-4007834095-2135319884-1000\desktop.ini.tmp

MD5 0c205e4a33c9d24a49f463a1ff626f5e
SHA1 8bd3790e4e7ee86fcb87851b63c8ef61e3066440
SHA256 85c9a24a8b42a188535f2b97a0c1efdece4a4e9f2e8b17950c8f544e6625b7c1
SHA512 b30a34efd996b3c448f1ba692f0bf73c76e0324f44fed6f7cd8ee42b96e4aea1089b3dcf3baf46cd51c54e28ef0b4cdea916f156396852cf5bccfa2c0ae46744

C:\d556e8f40e1fe2150ce3c75a1b83\2010_x86.log.html.tmp

MD5 43a1dbc0f422c8053a62e8a3e56cd61b
SHA1 6898acd905759fd12ca8267fc918d253b48eb019
SHA256 a9dbfdd886f5d7ce87bb026a3ea5d0bba495ce12660c2a8213d5c749f075d835
SHA512 91143bc768e90daf8607fa03830fa95677c051e299dd361853e28b95d840faedad73d7fa724d986c3d20cc7e0a9478df929804a7b72949e3e0de03f045de7b48

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 14:07

Reported

2025-05-29 14:10

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5204) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.map.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jvm.lib.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.TraceSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Diagnostics.EventLog.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\libcurl.dll.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART7.BDR.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe

"C:\Users\Admin\AppData\Local\Temp\420dff3765d823584ac2d91c17d3f03103b89fdc1c30993c6a4834bc976ba761.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini.tmp

MD5 5819c84b510a1a83d41ab3d37e5e8e6d
SHA1 279ef4f82336fac6573110b5d8d21e27f6d36385
SHA256 4d4ec3502638c64dfa9696f0853308dce4ffb56a837f4448ebfcbde5dde2cee3
SHA512 60dcb3e811fbe65a181967c8dec94126ada632a88923bf3e4ab5a9e43d52c223532bfc96d16dacb7bcd95fb521e0dd42c96aa7e73a8d9bd3f4d63172aef66005

C:\6eaadd5e1536cd09900c16de307910\2010_x86.log.html.tmp

MD5 9eb634c618760aa30f4263f11166c69f
SHA1 1540e1b9c8ccdfdeef8d5cf01b78a8ad2d318893
SHA256 0ad8404e2ea58553d66751d96ec3710ba4cc305da570df4640fce246a7d42e5f
SHA512 9a02c250cf03f95d4ab541308768f5c8ae2ae5f600cf87561c2af437ac39ac24ad5b1acb7000e9a042d9aea29ff342362ac7bbeb381cdf5fb2f677ee14dd0d56