Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l37l2azydt
Target 186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2
SHA256 186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2

Threat Level: Known bad

The file 186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5357) files with added filename extension

Renames multiple (5270) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:07

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5270) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\blacklist.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\wpfgfx_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcr120.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSVG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Controls.Ribbon.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8EN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe

"C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 63515984ac69cf4482a3451d36e20649
SHA1 39caf0673447fda44d6d9b3bfc996a5aaf055bb8
SHA256 edf676e5192c76338226b922463c2c590abc96b9b3e2d62bd4e4a44c0ed89231
SHA512 aec1385c79870c8f6fc90fbfc1813a592e3698f6ba75e9a9e4f1140abf6fe880dad5d958ae73a1ffa55e7c3f5f799129d41f82a767cdc5415d7cfe94cedccceb

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 26c85fc9cc76054da17ea417a71f5b8a
SHA1 24b21e83242f6344fc1336cf9f507476eeb41a48
SHA256 3340304b342e0a5986ad6659bc17ecf98930c6061764c977ab4507656cee27bc
SHA512 7ab31512694696827bd7589245cd1affecb49a6f78438140ae4363a9c9336d937b6c89f7d8dbd62d34a7426c05cd4aaa65ccc158edbe05b0bb03c46a821961fa

memory/4112-821-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:07

Platform

win11-20250502-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5357) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\javafx-src.zip.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.SPClient.Interfaces.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\management.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.Win32.Registry.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\he.pak.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BREEZE.WAV.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jfxmedia.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sk.pak.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Forms.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\cacerts.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\libpng.md.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\icu.md.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSPECTRE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Uri.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Overlapped.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe

"C:\Users\Admin\AppData\Local\Temp\186222b5af4cbed7ad1e958567d7fd9fd200a653f83aee40aadc1dc70933fdc2.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

MD5 777c9a326493cd28b8d830a7bad0a45a
SHA1 9fc17c618ec4e899a28097229fde0a7dc6059801
SHA256 4a606036f25d3618cc6fa587e291b050c44ca3a7e39c1787d8a52fcbed94974f
SHA512 7e3cff72294dd0956002849fc65c5689b22603f95bb6244656d10f46c170b1cd8b459d8facec88afee54b76e78661305d21efd1386dc5f205ffd7d514cd860a7

C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

MD5 b71ca468135eb61df2a9ea89f1d9a06f
SHA1 7df7f10747041d08fe3bb60e5dcec18a37a2688e
SHA256 65a60a0ff14eeedcbd6f757182a0b08ac5cfabccfeb51eb13b83cfb55009f9f3
SHA512 1b69d8244e15aa1d51adf61df501ea0e2bf8b88cffc8ea16a23fb44daed4f44f35b6ba540b0e04a00d65122e046a0a727cc05cc63ec1ad43101a15c61a4d6b4e

memory/864-1221-0x0000000000400000-0x0000000000407000-memory.dmp