Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2mv8szyct
Target 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52
SHA256 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52

Threat Level: Known bad

The file 3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5241) files with added filename extension

Renames multiple (5361) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5241) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ospintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\hr.pak.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Inset.eftx.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogoDev.png.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MML2OMML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\MICROSOFT.DATA.RECOMMENDATION.CLIENT.CORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ContemporaryPhotoAlbum.potx.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe

"C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 8e0171ec4ca30e665d3b127e483682b4
SHA1 7fe724c155e5f662d235c90375b6c20e80844532
SHA256 0cb0595fec135641ef33682fb7f37afcfb812c80f0f38401530fad824367458f
SHA512 8983889f2ae6e57213ccf832ed4fa6027868be3ff6409cf2497cb1f45ace8973e174b20f11e48a9d15825a0406368671c4cdf8e65a2a896410219ffa92f2b06f

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 aa4a7d849d315496eb9e13927d8fe4c0
SHA1 13e0b964de7e44cf8cc55641d92d1f3df9e5eef0
SHA256 b2c8199e98cc71a685cb8361457baecd54ff9ac62337380f62bfeec3e55f6d47
SHA512 d386c3cc03326d09ab34bf942a94ee46560cd8d9214450f9945bc5bf475c997e10d6e19bdb5af71da2a07ce7c9f986ce0e03d919092d2e13b61f9e0783d592ee

memory/1948-795-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5361) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\de-DE\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\t2k.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr.jar.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\osm.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Integral.thmx.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Wordcnv.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerview.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Luna.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\3082\MSO.ACL.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000A.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\ieinstal.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.Reporting.AdHoc.Shell.Bootstrapper.xap.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.InteropServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.ResourceManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\eu-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe

"C:\Users\Admin\AppData\Local\Temp\3500d96919a1e8e68af1c39bd63076ab57e67bd051a1b0aad0a259d17d7f2d52.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

MD5 be3b3cf126d8af7c509e75d751dd47cd
SHA1 eacb9b8210fce639fef9500c9f21d7a1c5343aa6
SHA256 f1475ca535a2d73ea719a14524036a5e4f1beefb7a547846599ae0c31e83acb8
SHA512 43867cc094badd288eaed9cf245e8d4bf51753273ba64a87c72d0870d04c115f47bbfb03e49ceb778a1c5177b99cfb341372325dd6bef8b6f84749dc4ecb858a

C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

MD5 e585fe76fc991d9e3e8c7efe8814898a
SHA1 0c89a1bf35f909ec435de952ef98e2052359232e
SHA256 52d6b91c7abe0dd87d100d5571483d87d543af68b7f47afe7ad272d435218727
SHA512 1714afc4794d3618e72b6016903bdb40b2d4c582983bfd27b1bcbb60874b1aaf84550787dc7760c2b5145b03f39cf6ef00fe503d6712235be79c208272337cfe

memory/328-1231-0x0000000000400000-0x0000000000407000-memory.dmp