Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-n5gjqs1vhv
Target 31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a
SHA256 31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a

Threat Level: Known bad

The file 31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Detects Cosmu payload

Cosmu family

Renames multiple (5202) files with added filename extension

Renames multiple (5091) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:58

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5091) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\COIN.WAV.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Microsoft.Office.PolicyTips.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONENOTEIMP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\da.pak.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\bci.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\sunec.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMePowerPoint.nrr.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\tr.pak.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_sw.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\el.pak.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXT.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Data.DataSetExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TellMeRuntime.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe

"C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3690492401-2005096563-3427069815-1000\desktop.ini.tmp

MD5 cd707033bc7da261f0bf288382dda4df
SHA1 c37bade11c20fa6bca07717e357cdcce3ea6d7ef
SHA256 79b5b4bc92c252977d6c60d143a8e2887b026d0a5054b795c64c2d1c4d53880a
SHA512 aff1af72bc6db1cb51cf0287532ffddaffa30fb8ddef836a91c02167a2a37d5657c5ba78d8b9ee131d16370d31d1923a5c9fc6d6611fcd4a836ff448145959c3

C:\f32c6debfbe15d219b06a854\2010_x64.log.html.tmp

MD5 1a552ed95b39505da9389c3ec30c7579
SHA1 23e3e038f6b1e1f74e735ea18b7d56e0c10dadce
SHA256 6e8632a1d92aa6b16460949689889c32b2f7a4f27de0a30da8aea6b2748087ac
SHA512 881064655645d1fced42911825626692fc6240e0aaf21b224f09cbb9b0fea4cbf9d846e4d512acd0b9d804a964e494f2c104788106a93548e5bd8283807b1343

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:58

Reported

2025-05-29 12:01

Platform

win11-20250502-en

Max time kernel

149s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5202) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Debug.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOHEVI.DLL.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_CN.properties.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\JitV.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Queryable.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial5-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\vcruntime140_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Json.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\sunec.jar.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\eula.dll.tmp C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe

"C:\Users\Admin\AppData\Local\Temp\31219bb50eca7514d0043992615702d4beef2ded95f668edaca1e8a92905208a.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-2117256398-1057710415-2142084777-1000\desktop.ini.tmp

MD5 969fa20818599dc74aa596c0f4b46837
SHA1 3c6e37a3b5d5d1f4ddf1014dcd29de364038ff4b
SHA256 382b25162e4804b2ae3bbccb59d092b529d57d24120fcd332f8a8cadf357b8ba
SHA512 11e03255dc209165715a0a368872db6ef2f4dc6b4c9c77ce0b37f7a1b2a8cfabcac8d8d8a4396080e3dfa373b51b3218fc5c4704f789cd61bd3f9e2562bf444f

C:\c8b37a19c794785c97\2010_x86.log.html.tmp

MD5 46e92cf454fdc4102242ed02aafdf0f9
SHA1 4abff0bffb6be64c5007e5c529b3089e9fd5c1eb
SHA256 9bb9823154c99af973776929db7ea63cb89adb4303d30ec6be29552b46902bc3
SHA512 f6cb6282da44e6993d64f8e2f5e23233e5973338e9d33d3f0c62540af7aae59cd3f8c3844a898b91b28d205f792a5e70289b716b91b5433aeb444b25bfa3d55b