Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n3zbrs1vgz
Target 2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a
SHA256 2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a

Threat Level: Known bad

The file 2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Cosmu

Detects Cosmu payload

Renames multiple (333) files with added filename extension

Renames multiple (350) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:55

Reported

2025-05-29 11:58

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (333) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\BlockPublish.mht.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\he-IL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\msado21.tlb.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrespsh.dat.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprsr.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\ja.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe

"C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3674642747-2260306818-3009887879-1000\desktop.ini.tmp

MD5 819592e45f0069a2e7bf1a1cc7a2f905
SHA1 9cb2e02292bc1bfe0864e85a9013e41ad69481fc
SHA256 1cf5da50ce1f71a7e32b48433d1acbf1e475dcba33b6308e0c922f2f53a65090
SHA512 feaf7e7640c6e3f3cc548cbdd509e5ce31cf1857d055ff416c87b4ee1a9e5f1cf9197e834e828f6d4e2595cc7cb1a0a9516927e32703b06645e930944a507d5c

C:\967f022c4c136664abfad56c1fb73a\2010_x86.log.html.tmp

MD5 99d30de333585091fc90a1144a77853f
SHA1 cd0ce1c2ebe12685927a122c92cb949a151065c3
SHA256 bc8d0500c315070bc3a99fc24ffa600e40a9259101d36ebd4f1c4382fb14fd92
SHA512 ea76c0d496028c70884402434899a705c27de979af8cc69716da7da49b0342b1bfb9bd2e809675f7cec8d3a8c3e1506cdd3f6e91f3ec90e79a996681fb3eb0b2

memory/2268-85-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:55

Reported

2025-05-29 11:58

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (350) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsjpn.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\insertbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\msado15.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwLatin.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\System\msadc\es-ES\msadcor.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A
File created C:\Program Files\dotnet\dotnet.exe.tmp C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe

"C:\Users\Admin\AppData\Local\Temp\2f5d007bdd6a54ed13f2ffec7c25554a27d5f4ed7f20052b4b98b4e375d0f41a.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1283078542-320785498-2248628612-1000\desktop.ini.tmp

MD5 16e1dcf6610233508b5f47884929c6a1
SHA1 e1da555385fdf75824129e02b5da423892f9e5b3
SHA256 c5292dcca371b6144f751a06b6ea83c1a04c6a92d9cba0d8b6c24b3ecd6c985c
SHA512 9ccc1e0bf0c23f264045778b655804583a11619f1ccc88c0c73bd6a4c34c192717bf93fa54bbe9906cb7da7b02bdf4323c88c73edb72b2ec146397678a781ad2

C:\caf455ed4ae411b0ba0aa2\2010_x64.log.html.tmp

MD5 e5778a5a0aa7ae43828bcc33ba2d4fcd
SHA1 31795adc08f4f6cc737bbbe35ba138193823d048
SHA256 3cda5bcd692b443e01775f0eeb2cc1acf479cf59dddf9c7e5ca2e47c2dc7a821
SHA512 832edd962a7a5bd5a60987d5dd0377e7d2b43927ad736129de5ce8469790830e8f6dc4e74365056176f739ef83068650e66941af011b5c37ffb87b6477236acb

memory/3724-85-0x0000000000400000-0x0000000000407000-memory.dmp