Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f45aeavlt6
Target d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0
SHA256 d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0

Threat Level: Known bad

The file d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5289) files with added filename extension

Renames multiple (5365) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win10v2004-20250610-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5289) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Crashpad\settings.dat.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe

"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-155457276-1657131288-1088518942-1000\desktop.ini.tmp

MD5 ac69af776d05308edac6aee0181109a1
SHA1 aff2c3f37ce8ac3d68b71131c0375b2557136ab7
SHA256 8b17fd22683ed738bdd8afd9596edee97a0834fa492587bbc247cad1a3c3afcb
SHA512 273aab6eb3ba841073f6632146f53dc88f5d83260359a8cbaa6c3811ba0a4f71be3601ad6d9ec86c933af60067aee371b2a2383dec6f239d06fcae99d59e626f

C:\986617b463e82ad7a3\2010_x86.log.html.tmp

MD5 a429c0be7ab33a3562878ea3ec3abd16
SHA1 d7f782a3439319d2b433ebe6b6631307af16f93b
SHA256 aabe390af57d6d924093804dd341e61d2c4301efb4d2b5048f533dcfcbffcb6c
SHA512 8bd3a4012cb1f911ecef3458453a60e5062640a88375ae6932c2602e23603924983199914c2ae22d375aac5e62964a65484286232f788a8edf54da403c1f3d87

memory/5292-797-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win11-20250619-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5365) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe

"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-625765727-1271952295-745797415-1000\desktop.ini.tmp

MD5 01c333214b5802f9008927499c7e6836
SHA1 dcb4f93c13c8fc92f91cde393d4e2c158eefb417
SHA256 593cf325efd7e3ca87689483827004fee83ee0583d7f05887d4499dc0017bccd
SHA512 90e014fd4b340965e254348e868db37d42a286fb57f853b24c36467dbecd8c51b83fceb5a8b7e2354040db8047fcf01722c6d338a8a301a29232863d3b642e5e

C:\ecd7b64386840f62c0ab2e4490\2010_x86.log.html.tmp

MD5 dae54d509b548e5e7d31c2f361c0dc2a
SHA1 e7e2b910e572c61b2032c5865c256ba2b10e11be
SHA256 e6faeff46b1dec0a7e9d3a414df9c637b241e472836931dab979cb1670a4cc40
SHA512 38c8c32d81b16202e3a138d5554c99c11beaf7c22ce7108a789a1645b749eada69aa2a31fdb8f988380cc73efaa0d831b239bcac9095776d40b59e7683e669a5

memory/1696-1221-0x0000000000400000-0x0000000000407000-memory.dmp