Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j61a1svj13
Target aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343
SHA256 aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343

Threat Level: Known bad

The file aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5357) files with added filename extension

Renames multiple (5205) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:17

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5205) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationProvider.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.15 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\libeay32.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\SalesReport.xltx.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ANALYS32.XLL.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\desktop.ini.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\snmp.acl.template.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Threading.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fontconfig.properties.src.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe

"C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3920234085-916416549-2700794571-1000\desktop.ini.tmp

MD5 245a538b9257120d852dc27a6bf99b8e
SHA1 9e0e7eb85abdfeeb2da3a838402ed4d1969076cf
SHA256 b52f78180050e32faf8c112780ebdec28a604753a840f361df4425f7921a9a52
SHA512 96b6c2c7ac632b24ffc59314920c28de09fbfb9de510be155cb37a99abe1734b01526fa9d6fea18802c3978c3caecae3cb69fc091439cd480d9a19ec538975bc

C:\6eaadd5e1536cd09900c16de307910\2010_x86.log.html.tmp

MD5 b29feb609272401dafd21421b33bce38
SHA1 e2fdf3b09b799258f54e3c3373ca938343757cc6
SHA256 a306c3bcd9e89c2f4e7464dfe456fc8270d3c713d3a6564c3471f3e91ad8adfe
SHA512 b5caaea04f0bde1e8d95e04de68191b361cc74ebe10d83a4063e558c0843f171306dac1924c2002c339856b380c7e4cf9f13b32988918b2e09d276a3c51b5dd3

memory/3132-797-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:17

Reported

2025-06-05 08:20

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5357) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\personaspybridge.js.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\System\msadc\adcvbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\javaws.policy.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sw.pak.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.TransformDataByExample.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jpeg.md.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msotelemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\resources.pak.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Internet Explorer\hmmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\bg.pak.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymb.ttf.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msproof7.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PAPYRUS.TTF.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe

"C:\Users\Admin\AppData\Local\Temp\aa672896703c6c2e8a3dceb6a2c43b0c62e5ea83c369824e45c927c658b4c343.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-2117256398-1057710415-2142084777-1000\desktop.ini.tmp

MD5 a2a80b71f06a640ee18b706594a0f994
SHA1 6169b54cc28fc032c8f2cff531e3d1acb21550aa
SHA256 a046022659872a2c19bcbca346d720ee18d8ef7167f86fa2b1c0bd6fa8a0ae9e
SHA512 67502325f61bb71129f1186efdb6068c77ae84515713d566736bac27c599e75800b8120d3c9ab975afe922f509951af642a412d25773ee4219a4df1ee425e5ba

C:\c8b37a19c794785c97\2010_x86.log.html.tmp

MD5 ae010603a644b5537a0c73a400fbd8ca
SHA1 8381af5c457a00120ab983b58efb2fb9cb875b14
SHA256 f960cf0e736c85ef09a7a21e7871610f5bb5593a07783f1030000cca2e9ad510
SHA512 77f81fd7f9131c09c82348fe784640738e3c1d090eef9d17138880cd0e588609c5e97f752f569ecff4fed49b7836b8bb2c9a6aed8c657777882450ae8d07629f

memory/1068-1229-0x0000000000400000-0x0000000000407000-memory.dmp