Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5hpksvjy7
Target a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7
SHA256 a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7

Threat Level: Known bad

The file a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5361) files with added filename extension

Renames multiple (5278) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:14

Reported

2025-06-05 08:17

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5278) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\EXPLODE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\icudtl.dat.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\MSADDNDR.OLB.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ja.properties.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\prism_common.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.FileVersionInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe

"C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 d107825fbf1585c7d9035d8ded0a54da
SHA1 1233fe1585ef946a81167a4cfacf10192ee60cf2
SHA256 2ab7da751af72c9a3cbd875c4c4ad4cfb241e6958d16791bc15ea29b6547bf8b
SHA512 31a0a363c5ac7eefe4532abd963d8cdb92f8b0317f4e67494e42fb93d701909444094eaab1f36f868eff2482445f0d6beb33d28fa553e79256ef0f9d26e24e20

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.tmp

MD5 b6697105c2f8430174afd25dcdd78065
SHA1 2543a008d6e8f9c7e11ce9bcb88507c296c92b2d
SHA256 8cee86eb34cdba12075384afe91be9caa47270096e43e692977ed605d18b7d5d
SHA512 11de5b781b25efe9734f90aed8201100280abcd49028474496f74e0d68886fe2173ef0e3112d6d6f9beed2c8c3b89ce18bdb79d3dd85522114aeaad768039737

memory/1724-811-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:14

Reported

2025-06-05 08:17

Platform

win11-20250502-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5361) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GR8GALRY.GRA.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7cm_en.dub.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.White.png.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_it.properties.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe

"C:\Users\Admin\AppData\Local\Temp\a640baf1ea4f1fc120e9ba9c8d714762d42c01bac7d3587f53b66e7e64d22bc7.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

MD5 b8317a827b672629d02da340aec2bcf0
SHA1 631830e682815df8c311ab70ef8783fe81e99f7b
SHA256 ac3662a35fe2ce0e38ce8b1c0133426c82d09ea464fcd16de4acc8f0ecc2d0fb
SHA512 c3eaef26a0601bb2777e697b929fa6f9ad43f464911137f482146b08acde868cc0101cb9a4981e4d36ecccc3f3b2b072a0fba71708785a8cc6742cde72929324

C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

MD5 2896ca3de0909e34d804c60094d23922
SHA1 af26d84d2ac3f3cc7b2dece7d13628893edc5ce7
SHA256 de1949ff342b86fca1b1cde35436b938f177e16790b16cae2fcae8c1cd349f7f
SHA512 9052e33c95dfb24879af7e60ab5be31e017f82ccc70cbab861a9cc64334692066affafefb5e92007cb6fe0c8322f01fbb03a1bb74015375aaa9c220ece47f087

memory/2364-1225-0x0000000000400000-0x0000000000407000-memory.dmp