Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5fx7s1vht
Target 59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d
SHA256 59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d

Threat Level: Known bad

The file 59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (4867) files with added filename extension

Renames multiple (4860) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:58

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4867) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Configuration.ConfigurationManager.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.ReportingServices.ReportDesign.Forms.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Private.CoreLib.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\chrome_installer.log.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwcapitalized.dotx.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8FR.LEX.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe

"C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

memory/1732-0-0x0000000000400000-0x0000000000407000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

MD5 3e890b606efa6ee02c254405e39435c6
SHA1 67d4d8f1e70c48c6492c7bd14fcd953e8b0e9a6f
SHA256 17126e00fe33b713ec900501959fde295929b5d9cc42ca30d28ea83d0804c169
SHA512 9fd345b1c8a97eb0a3fcf5c0388251dff340c8941d05ddf2bed6b9c9febf83f72e67d588a49a630869fa20f587e4fd031aa7c811cc721b76251f2402a7b97783

C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

MD5 f6f775706bf66b17c531efe07df2ef1e
SHA1 f3c3f36c9de31fc6b7a852d054e1d28a986c2e08
SHA256 1e939fd3539b682727d207ad772a7a0527aa68e38404df810ba827039a4daa29
SHA512 d8e179ee7d3568e0f8d1772187a9550d3134be13fce83212bf83ac4d9f7bb95b1069ca7f2f3c74f2631c1d6ecade4c110ac46226c07c48ae7ef76b9a8e66ce80

memory/1732-676-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (4860) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.V7.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\7-Zip\Lang\mng2.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-debug-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ms.pak.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy.jar.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.FileSystem.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AdeModule.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jce.jar.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdarem.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.TypeConverter.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationCore.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe

"C:\Users\Admin\AppData\Local\Temp\59b2f69e78dda87f83f15f064a25e40551c62878cebfc66e541f6bd79e67d42d.exe"

Network

Files

memory/1636-0-0x0000000000400000-0x0000000000407000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-434880884-4028056734-3558218839-1000\desktop.ini.tmp

MD5 c572d88c68721eb90d68525c78b4b42c
SHA1 ab40795e7a1df08374b819a8a6c47bfbf0787fb3
SHA256 a2b23e49c7d8212372e311c881794077a15f7188da370ecfd8197a954172aeae
SHA512 a09a86d3681ed3f989b112bedebded3b24683a182841bd449111c288554ecf70593a22455a5d84291bccbcb1542f932c4be7d33f4a92c73d237dfa3a566385cb

C:\adad24410ad15e7b1e4f8836d3a6\2010_x86.log.html.tmp

MD5 e3c5d8f638b47ddf1449ec98c0770030
SHA1 bffd78449867005c4813b30749c88ef10ab6c77c
SHA256 998d631e5fc66739a41a90d7342cdfcdf59d7f952bb7349c1e8254545d5b7866
SHA512 f3871258d76c6fe8764d83205c87b33eb73962f76711983763fc087552a6808264d0f5e50e343fccadb3f244cb04a010ddf55381f7bbf4d4cc1f20b1e6c336e8

memory/1636-828-0x0000000000400000-0x0000000000407000-memory.dmp