Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l37xsszydv
Target 31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a
SHA256 31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a

Threat Level: Known bad

The file 31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Detects Cosmu payload

Cosmu

Cosmu family

Renames multiple (5343) files with added filename extension

Renames multiple (5264) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:07

Platform

win11-20250502-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5343) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql70.xsl.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\dnsns.jar.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\cpprestsdk.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.CSharp.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\tzmappings.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\logging.properties.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\word2013bw.dotx.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.Brotli.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Metadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe

"C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe"

Network

Country Destination Domain Proto
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3588213599-686740421-4058676312-1000\desktop.ini.tmp

MD5 12251d81d1e693fbc92ab8115e9e290e
SHA1 aef3fd13f5dc9341af9e7184c14e8340e7dbf087
SHA256 8c2267ae648723d197f32d105af98248ec9fa59129ba1cae5b89c6a922581a04
SHA512 10989eaea6278225c9cd476e6ec71d5d2068df8c14d0a6360d7723150a15f5a6de4d823432b4bcd0dee3b96940754efc7c4840fc6d7432226828b8cb5bb155ff

C:\ef2ee615ae93a516ddfc423cbf0f901a\2010_x86.log.html.tmp

MD5 a042904fecfc0b0f19be26bd6981e0aa
SHA1 8d8c52209581be6d1cf610aaacaf582da59e924d
SHA256 86ecfe81226e4a57f877c2d34476492a8d385ae694c98144eeb8e4f4ea10e02e
SHA512 eb8784ab6ae98c6487b5771d3c7210a04eafc67ce0e10d1ccb688099c0ae39aa71fa25fbb6be9d3eddb035400cae4c7f0571dc4b7cae2da02f61bd517c091a64

memory/4200-1123-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:04

Reported

2025-05-29 10:07

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5264) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\upe.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\server\jvm.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\System\wab32.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Expressions.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jstatd.exe.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\README.html.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_pt_BR.properties.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\LICENSE.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\java.policy.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.XPath.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\plugin.jar.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_ES.LEX.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\orbd.exe.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\classfile_constants.h.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe

"C:\Users\Admin\AppData\Local\Temp\31636d98b7165702e3bc2cd27ade00eddfc05edb4a7d4a5cc53c13da6ed0658a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-1153236273-2212388449-1493869963-1000\desktop.ini.tmp

MD5 528a3278a1cdda12deb5bc2fdef6e7d1
SHA1 04673aaab703fbe71e21487bca9efcfcca331137
SHA256 e47d82bbbe32ca280971a4656e4e54cf0400e4b3ddbd367d98a848abf53f034f
SHA512 da3450e7fb9a136467d46f5b374ef02272ffff617ee76ec3b7d0b597a242144e56d62c6064b0c2b88e2391df5d58490c61d9cf3ec74a98b35026185531a96921

C:\f518c2ae32873fab6fcffcc19027\2010_x64.log.html.exe

MD5 da096550df89421a7057690659702a45
SHA1 25a0d78ee336b1b16f7ef08fd18772c77d5107d0
SHA256 f9241c6afdc72d7cf559e348350158c1d8616f7f68aad1742e795a5c3a6e1e99
SHA512 f46a44498bfe036a4184b06ab0c1e4413b1b1dc2ab89ea802f90fa07ed21d918b50eb967d472b89b31eec784b36e9d70d87b5c6f42cb946cbf315ff4bd9ec85b

memory/832-797-0x0000000000400000-0x0000000000407000-memory.dmp