Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l1995szybz
Target 1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3
SHA256 1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3

Threat Level: Known bad

The file 1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Cosmu

Detects Cosmu payload

Renames multiple (5198) files with added filename extension

Renames multiple (4871) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:03

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (4871) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLSLICER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\fontmanager.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\jmxremote.access.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONWordAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CAMERA.WAV.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr3jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\PUSH.WAV.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\eventlog_provider.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\cursors.properties.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ro.pak.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OAuth.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\deployment.config.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\zh-CN.pak.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OWSSUPP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe

"C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp

MD5 edbe4d583f2a516e7f4c883a11ff9f18
SHA1 1b807679a2d9caf661f3ae772b3b999da8e549b9
SHA256 c9f68b728bdd6dfe300d98110f51f6f3c93b0d4cc0972c572f9f483988fc4bdc
SHA512 0c55366fbfa0fe50a0c65c2f3ce7f42ec5f85c0ddada8e2d189d45d61a7b9a2ea9be85200ff7de2cf51f79570f26f81732fd3a351afb3696684be9044cc53cab

C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp

MD5 e65d35fb4c1f01e8b865b4ed79582c1e
SHA1 4e6446f8fd404bfac6c4800bce34cdda7a3d814d
SHA256 fe009a3b2f61127346f0e780c80c42e716a02987019e00ed06d013fa945c466b
SHA512 9d97d9b24eab88afdaa02fe9d4da85ad950ebeb29d82f96edf11cc796b67ef52ed028ee8582e60bd5f3b031e25a84236c9113ea06140a891d35c55aacd6db1b6

memory/4512-791-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:03

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5198) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordaccore_amd64_amd64_7.0.1624.6629.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\[email protected] C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\classlist.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPCORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\policytool.exe.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHARTCOMMON.DLL.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Numerics.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe

"C:\Users\Admin\AppData\Local\Temp\1705207dec682ebd7df90665c61d3283a7c3ec84ae3fe21cdda0c940601855a3.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini.tmp

MD5 66584af05b60699e3403c844398c8a7b
SHA1 e61542abe47c50bd59f9ff431d56e9183cfee83f
SHA256 ebb600442cd19514116c100e117574ba4a4599e99d49c3e4bb278d3b7ec75a44
SHA512 d1a10402a5502b5e004d6a9acc0e04b65b06746f2c82b173d1223f1fc3b267eabf4285b6e4916e0e347815e8f6cc99bab1620661648ac713839c333c2a964963

C:\e62b36dd3cccbd0b2c8aefa1fa8db0\2010_x86.log.html.tmp

MD5 b879adac87900feb0a4da7e92110b2d8
SHA1 6d32cef9e30e4818cc9daa418a76dd2ffbd9ed84
SHA256 7cabe3ad3bc0006e971237355ec23269cea623c6018b5949d7e05cd620fe70fe
SHA512 b8ecd0aae3496a09f9982fdac7fec5c5b77ca7150c767bc1d4d84946b15966fc325358cb6a982f46b0787a09f8b368439a537c12388899089bde7d4ac3cb5b19

memory/2572-1115-0x0000000000400000-0x0000000000407000-memory.dmp