Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l35sfazrv6
Target 28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f
SHA256 28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f

Threat Level: Known bad

The file 28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5194) files with added filename extension

Renames multiple (5348) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:04

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:06

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5194) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MSOARIACAPI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\nashorn.jar.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.stats.json.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Principal.Windows.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUICellLayoutModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework-SystemData.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\word.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointPortalSite.ico.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BSSYM7.TTF.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationTypes.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe

"C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 9ec932f5250045049bb68e0473f13250
SHA1 4398889f84988bc8157a11324e6fee3ed0c37f30
SHA256 e3f8ba4d49d53c56479104c41231f3670089c354ecb6fee6434c1c6b25356424
SHA512 2e8b22b128a3d46b8b683e75b14d0db20486124d428e0bbfd8073b15d4b98bfe04fa7bda9922ad917193d3d550b90ebce30c2a96de81690fb55412304580d1a2

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 b86b54057ffff726de20a5f253fa0aa2
SHA1 f7bf5a306d3cebef88a813d3cb23503def6fed0c
SHA256 665bed7e0ed58376932abbfb7b3be205669f9441156c263cc831dd1c3d73ec94
SHA512 7cd07a01a208063521248a463bc813c579bb25bc2126969d0bc4420b9eeaafa20bef7604287a743c944b5ae5fc70f16d6a1ec0426b99d9011a4f241b681aca58

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:06

Platform

win11-20250502-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5348) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\nl.txt.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java_crw_demo.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\mlib_image.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\7-Zip\Lang\mng.txt.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jsdt.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\cs\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\bci.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\classes.jsa.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe

"C:\Users\Admin\AppData\Local\Temp\28c985e09a5844317c11719cb45e2cdb7e59aace44f368d17b5093699cf70a1f.exe"

Network

Country Destination Domain Proto
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1178639776-3244803473-3821071008-1000\desktop.ini.tmp

MD5 fc49bf11d74ebb3a749184129178f6c8
SHA1 63568fd6b927dab55c9dca50301a6bc6cc120ed2
SHA256 28f7b6bf7fde756cda35e57fea10ebcd6434d80923c453ffdbd96aa5d6759243
SHA512 af4228ac59a32d21c4496f2b4c4aa6a49639792e97753f12ffb84655990b1d032df1b5478fec8778819b0067ffbf6fed5477cbdf2836bad0f6e74b577fe38c34

C:\f8efe770fb160c3e4e\2010_x86.log.html.tmp

MD5 cb9bbb5159bbe5d1de38ddcfa27b990a
SHA1 0e64dff827cb6b66241036007b543d5ba0e26bc6
SHA256 ff7fcc5cb526996d5fea60ba2fe4fbfd0c7d6e3d6714a1c613f723af72c36902
SHA512 30bd2a369dc4605d5175bd65d62aaeece2776bf2b68d4497bd3df1f8e905d6f0167bedf9b38158d0c58463cb8d3a5118749235558f5750b574c9cfd5f0d447d0