Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-h96frstpv9
Target 3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4
SHA256 3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4

Threat Level: Known bad

The file 3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5376) files with added filename extension

Renames multiple (5197) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 07:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 07:27

Reported

2025-06-05 07:29

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5376) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8es.dub.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.SecureString.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sfodbc_sb64.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\offsymt.ttf.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadds.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ru.pak.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe

"C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1245416451-815278583-4285364870-1000\desktop.ini.tmp

MD5 3f99688f4ac7887a91459bf1a58ca9d6
SHA1 9392289d8d77d78830e730dbe47a1693a813a1b6
SHA256 d17b6ac8fcecddd2c83c7b650351b4714e400e38a542714a212858a0dc75f3e6
SHA512 d5cb6b711eed8858da504657696302160cb1abf140695cfdfbc4680ba406375c0029128870a0fc8c95d87cabc09ff90834faf3ec511d1caa3db8d70b6e310a63

C:\09888c3fc6bdc8a345f7\2010_x64.log.html.tmp

MD5 69bf7ef9b55786ae092f9e0d74657902
SHA1 65a0a82f940a87e0ebb53f3b5dd02af429a953ac
SHA256 5490f93b0cc682860385ad0f93d3877c55129eb47b11a7daaf4aa319a6605f63
SHA512 020d8ae402d3dc25506c716a197d92b266aada97307fef97632f6ce9cfcb212b47eb26343ac425dcfa3925338c03364210d8ce3680e9725717083f46a3ea77e2

memory/1460-1237-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 07:27

Reported

2025-06-05 07:29

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5197) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\xalan.md.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2gss.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.ServiceProcess.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\ir.idl.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\javacpl.exe.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\lcms.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\EntityPicker.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\sl.pak.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javafx.properties.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\javaws.jar.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ValueTuple.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\et.pak.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\java.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe

"C:\Users\Admin\AppData\Local\Temp\3dca437f9e491da3d6834290e466b607ab3d6ace9de65a9b8fe7f045394d73a4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-186956858-2143653872-2609589082-1000\desktop.ini.tmp

MD5 2328ec75a4747fc65dee6a057d15d638
SHA1 95c42ba3a316d971e28de76d0496e84c1acb8462
SHA256 3cab7598c0f55cbe619880987c3b4d9682b6f7c14742f22c76351b9821bb0ae8
SHA512 e1e23437fd6c1ba9a84071cc9da222f89c2078d9500abb8a341a05df041b9fcd18b198c5562aa74bf1e9c3d28085e87992fbad9d8f70f88a87df3d08bd01ca96

C:\d962f70874f5d4bfc1c6\2010_x64.log.html.tmp

MD5 6b3d177596098dde81a4a1f09bb650f4
SHA1 31cef651544d31b4e23500865156f2199182ea3d
SHA256 835c14f5a613a0db921feef6962094215180ea908d0e1b97ccae9d9819d677c2
SHA512 804b8cbf1751fd31e1ab653c71df5a942d633d31c8fc778db996ff966bd8d3b412dbc0272803a231c739e258ed5431cb3fe5cdd33eb9f5d56cd5245713b98d69

memory/1444-799-0x0000000000400000-0x0000000000407000-memory.dmp