Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5fbns1vhs
Target 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8
SHA256 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8

Threat Level: Known bad

The file 2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5123) files with added filename extension

Renames multiple (5078) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:58

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5123) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\FileSystemMetadata.xml.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.PowerBI.AdomdClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\privacy-sandbox-attestations.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sl-SI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ja.pak.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Diagnostics.PerformanceCounter.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ComponentModel.EventBasedAsync.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OART.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe

"C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

MD5 29b48b35249c76cbe9ef0204031b12fd
SHA1 f70de9fe947112fb55f8aa35e4676193f8e4f607
SHA256 d29217e35baf484f3b2e90b9100dbda372b133a3051a9c94517f01903643150f
SHA512 833b881da30aa72c1946939fb6365265cf63a7052b8e19240e6821667b5946b5762bbedeadc643cf1e6882ea1515f2b15650ac7f38af51efd7803103c7bf853c

C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

MD5 48cc05c2b894eab50a59c33766e0132b
SHA1 478bdbea1daa1001aa3f6c60983fa34216ea4cbb
SHA256 a4cecbd1e12bc98b3e1806d1d42a12b6bd7d33a934bbd5fce2983446d7d81054
SHA512 e61870feb1dad14fa2507b886dcf9ecae7756dff5913dd53c098247659e35d4b6adaa7de2e6ff73753480ca43827e56e2727020098a38cd72e0e3110f4e85f06

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5078) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dt_shmem.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\salesforce.ini.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\verify.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.DiagnosticSource.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fontconfig.bfc.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\freebxml.md.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\7-Zip\Uninstall.exe.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.ZipFile.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-synch-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Dallas.OAuthClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\local_policy.jar.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excel.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-console-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jvisualvm.txt.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.OpenSsl.dll.tmp C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe

"C:\Users\Admin\AppData\Local\Temp\2d060d99dfc780f3bbf8f833adb029eeb1ab1d30d59ae4af403d4bcb493894d8.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-434880884-4028056734-3558218839-1000\desktop.ini.tmp

MD5 8f33470bed9650c7080a36ab025526fd
SHA1 dc7fa77cf9392b2946e85eb4690bb068a7e2eafd
SHA256 b5656af1f227c40bd9471c9ef2e4ddd32860cf83ed2948673e0036140c29910c
SHA512 def55de4019ab769a716cccda170a999c3f5facf64582add1d55a29a44fd1ea8851add07bf91601451d312f38fa81ae3facf040707a72d9474dee57f9b95da22

C:\adad24410ad15e7b1e4f8836d3a6\2010_x86.log.html.tmp

MD5 dc9cc2476d2cfc936f71d74f46e5da18
SHA1 5725af0f0586284174e019533f3b555863eea866
SHA256 6dbcafd7eaed6e7b0d1ae4bcaf40f72065b3d6c94f9f61e99abae851b6294519
SHA512 7e85566ebe60de8a6a24b9ffefcc0658bad915060faef277f3c029ba57f38085db02a91c3611a2503ec3548e94105b11c089c3dd36bc602b9d0e0673661d29ce