Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f47qjavlv3
Target 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05
SHA256 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05

Threat Level: Known bad

The file 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Cosmu

Detects Cosmu payload

Renames multiple (3136) files with added filename extension

Renames multiple (2891) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win11-20250502-en

Max time kernel

150s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (3136) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\uk.pak.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\libGLESv2.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.TextWriterTraceListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe

"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"

Network

Country Destination Domain Proto
IE 20.190.159.71:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

MD5 197e332a5aaf74c3a523bea7c8c7807c
SHA1 8fa765bfcf0cda6b52c27e073c454c03fae9b097
SHA256 c22293c8d27391d6688b6d7b759a2efedd637772da262bbac571b9416ed852fd
SHA512 66b1cca2dce9593d97c3eae3ac630c5a4fb81b68649284bcdbc40c60e4041f3f28f007c080c82d1c51a5aaa83b0c3e9b7fb9dc2bc4d940f67b8df663fa12d2b2

C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

MD5 14cb81c6b8b0d42b5f24836d7e06ecce
SHA1 fe39087bf49cdb670a12fe4eff3ba86783d6c0fa
SHA256 7c2d2556feeea163003032538253a97c4937b142a91653a8be22dbd52e12eada
SHA512 fc729921f02e6b4d31498ff85b32e4b05cf647efb68c58dfba0c3cd6bd26c5e1e005ced314acd41cbea4b99dd7f4f85f70b9a99523f52522fb7d4b553e9b8ed5

memory/4428-497-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:29

Platform

win10v2004-20250610-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (2891) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\LogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fa.pak.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\gu.pak.tmp C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe

"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.tmp

MD5 faec85ad4e265a5eb7bfcdd967674694
SHA1 b7fb5a9cd286e46d42da3ddacd06d8002ca9a33b
SHA256 1c925d9d6ffa64349734776585502142c2be1b4df001da47890acb728e0dc316
SHA512 21f81fd9e520b53cd5a79b2122647cff7ddf69a6f184960c1faa880d3d004a12608df89489a20e32138b04d3da4ad4701663fcab059625bf2ad629c2d8cfe441

C:\e17c3a4b92f97a6f793d\2010_x86.log.html.tmp

MD5 0e99dba69b5128d1e3ae58b5b6f06e6c
SHA1 64932dbab0fe6475824544ca4a240b3f92104072
SHA256 ad2513c8a27e51407135d3f5d283d369760f477ad4977a6f81ba91d2b446fd5b
SHA512 4120184cbedf589c1f03a5efc2122a6b22f6c74602ac79f5937202aa5053bc48ef06c6fa3c513e798b245535befdf558dab2d28b75ad3a6ef554c054f6b62b29

memory/5912-461-0x0000000000400000-0x0000000000407000-memory.dmp