Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5ja4svjy9
Target 87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182
SHA256 87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182

Threat Level: Known bad

The file 87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5359) files with added filename extension

Renames multiple (5202) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5202) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DIFF_MATCH_PATCH_WIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\System\it-IT\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH.HXS.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Http.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\cldrdata.jar.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe

"C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 56135ee3d744744214eb0fd55955c1bc
SHA1 251fc7a1d97604939b8cee4ffb916547a1bfaa7b
SHA256 a7934236cbf9179fe2d583b9e79fbcd1d96af5d2e9ab3185924e4623d72ef60a
SHA512 f577f1d33f85b89b474f8ae6cb874c09b3cbe259c4cdaff7ea246adfbfe149b38428b5b124302ad376e55cbd803703ace7da43227f14651fd284dfb02874e00d

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 2db6992748cc1b812a5cafa6d36ec611
SHA1 d7a4fbf5e4ca97fed1c7cf904cfc87e440a3e506
SHA256 5a02354cbc7d6faea39461f7c560e0209895238b287e14751c0294f870f550ce
SHA512 589b6a7121f1a99144c677c9013f06e4e08fa98344101b2b3c0584928b974ffc5216ba2deb13adeb55b7817b28868ea6bba4cf22b8bed28f1b5f1dd3dbcbfe91

memory/876-797-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5359) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WWINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPP.VBS.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Handles.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\gstreamer-lite.dll.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe

"C:\Users\Admin\AppData\Local\Temp\87eb57e0a3fef69f3736666ffe2decf43804b6f69e460492a3abdca665677182.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

MD5 8823f741c74d4e7c8d65837c5a5fa010
SHA1 f5cc66373ed63a44aa8b39273d7fdc1afc1d8b39
SHA256 59846c783bc1a570db99aa8100772e43cf493132ed9d994fd0082b014e4c0085
SHA512 38327d1b50aa6e9bda8a72a9985e0fea2456a4283e12ac58a66d4a73767389dc86773633e9c0b60874b04542dd9b6e98cc8d64c0eb493b4df7daf4a3bc71d575

C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

MD5 af1475e0b24b8dfccbf1c6ca8bb9ab7b
SHA1 61a1e44a428cc984ebf7c89f336f7e538c1eb8e9
SHA256 07cad12750fcf4ffd78430900065b8bfa2ced809ea44fdb3db7a102945957cae
SHA512 aec14f3cdde63374adf367549da31f6453dc91c5f4dcdfb44aa205e08c86fdbca1bbc85e6ac7cf8548718ca6c4bf451486d293672ea11d1288bbfb55ba715432

memory/2080-1225-0x0000000000400000-0x0000000000407000-memory.dmp