Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l2qbcszrs9
Target 2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5
SHA256 2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5

Threat Level: Known bad

The file 2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu family

Cosmu

Renames multiple (5198) files with added filename extension

Renames multiple (5244) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:01

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5198) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Design.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\public_suffix.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymk.ttf.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\attach.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CLICK.WAV.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Milk Glass.eftx.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\vi\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\GRAY.pf.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.EventLog.Messages.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\SmallLogo.png.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe

"C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 1af51b178a8189099b0157883b61d966
SHA1 b3e73a101315566582e695b9821846342c4d28df
SHA256 36306b3205f7029d6de8d673bf25989da6d5fe2a84e9e1dafdadb8aa3cb5f190
SHA512 a5e44575c58969e2161cf91190e36c42e2dd66e63557e49aefe89af5c50aaa6600342821da11d06731a9756fac4434aa251480b51b4dc4249306b6d39301ff5a

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 6f31bd01fc83eb42e5c87812e37ed0dd
SHA1 981f161d187cad691c574fe6cc3b598e3b96da79
SHA256 5be2334601a08ecc6806d3a0c342e6f1f132d5373446c277ff65732f5391b1db
SHA512 7f7822ed31e029e21af56b48d1bc3b214787750aa005cb663bf043854049250462eb4bd0fae7a66ba125761c795a85f8bb47e4bb6b89ca40614ff2b5c6535d38

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:01

Reported

2025-05-29 10:04

Platform

win11-20250502-en

Max time kernel

150s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5244) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\7-Zip\Lang\lij.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostName.XSL.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotelemetryintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelTellMeOnnxModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\te.pak.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mip_telemetry.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe

"C:\Users\Admin\AppData\Local\Temp\2e1f586697c83304478107b3553d5bc87f86833676fb84c2dcb837358369aaa5.exe"

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

MD5 aa590ddfc20a353efd70f5d53d31c53e
SHA1 5f2d729d2f4560d5aa1ce9a5ef1d745a54b316c2
SHA256 d8cc67c5414b6c077e996277a920c731d885c4cebd9de1ba4ebf997b280bc827
SHA512 dfe003383335b2b3885fff01cf3303051799a0ddc832cad8ab6d85af8f427b84ca1c768e94c0132f5669a865a5c1d14b7611e9b846a1933ba745921d88791720

C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

MD5 dc1fc0c14b336e7e636231bbb3020576
SHA1 8a303950ee22b0bf0d824e5bbb5446dd9363543b
SHA256 48730f53c0ed1f7da8108cf166df3d8e60d5a4b327cf3693d6554a119450021f
SHA512 714f773c30d7db294713f12da01dbdb44f94c813facc3eef274914ee066d3e83080f586f733eabb6bcbbeae3b3ee0406c3a294af6e16d22a9f945049a43aedae