Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5g32svjy6
Target b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa
SHA256 b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa

Threat Level: Known bad

The file b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5203) files with added filename extension

Renames multiple (5366) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:14

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:14

Reported

2025-06-05 08:17

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5203) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\rsod\powerpivot.x-none.msi.16.x-none.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\localedata.jar.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jvmti.h.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ObjectModel.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\decora_sse.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritalm.dat.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\msotdintl.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jjs.exe.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PenImc_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-GB.pak.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\glib.md.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.SapClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Contracts.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.CodeDom.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe

"C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3951986358-4006919840-1009690842-1000\desktop.ini.tmp

MD5 b19f2ea7d3406b4de337a753e11f230c
SHA1 23cc90cd4896f92278327b2c09bf2e612acc849b
SHA256 d94a3c24cbb3b5d9f0656efbcff5db83d41b51e41b6603184a9ed83754dfd3e1
SHA512 56615fd628730aba27b384dc5630fda9f987bdc9df4fc2289dab0f0e8c2f8223149fe456b709b5ccd3a4ca538dcb2fa982bdca3c9e907e9676e5109bd0c191af

C:\e871de07eca81c0a47\2010_x86.log.html.tmp

MD5 162f8a135f62f7609e53bfea42dc3369
SHA1 f838222a387a02cf762269e18c06aa7f448a98a9
SHA256 ed95f0543c6dc6d7ead8a8f5dda4ca8f297fc33a282159da2b455aa6d727d267
SHA512 a0193e2f65910c1584c16c40024c238e492c16606e1c723d9145f448b6edc0509acc154500b29c9fc849a416458aefe6fc2d6f813452c191994a3b3c8e1429fe

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:14

Reported

2025-06-05 08:17

Platform

win11-20250502-en

Max time kernel

150s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5366) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyLetter.dotx.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\.version.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\flavormap.properties.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\en-US.pak.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuin58_64.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmapi_xl.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\w2k_lsa_auth.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\UIAutomationClientSideProviders.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.Diagnostics.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\onenotemui.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Requests.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\santuario.md.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\Welcome.html.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Formatters.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\SEGOEUISL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.AdomdClient.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.Parallel.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.ThreadPool.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\content-types.properties.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.MashupEngine.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OsfTaskengine.dll.tmp C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe

"C:\Users\Admin\AppData\Local\Temp\b915e7033b022809456a0832d0e2bdffbe3eba14e36771092aba299f650515aa.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini.tmp

MD5 a2eca795d6fcd3f792040732b373c07c
SHA1 46401b9e269337da3dffc53b5b8a699d49ae463f
SHA256 e2d70dd5cfbf0ed143420d3f934a331d74268aa17f6ec809f8589d5ad7236387
SHA512 24bb5bb08adb8c8aeb2a91a0a3c32131c550f9badb884a1ad21bcad854126d72402ccac488d5530d48ceab0da91ac8910d6d76a2b0ad13e05a5eaf5555c739b3

C:\e62b36dd3cccbd0b2c8aefa1fa8db0\2010_x86.log.html.tmp

MD5 450d448575c1c01aba12cffb8e13f7fb
SHA1 8096ca61e4d377517b917a9816aa3743db3f6e0f
SHA256 d734cf4cd0dc7033119a15aa781b608b891fe7412c2c1ad4117c3c450f0046cc
SHA512 8ed06d91c8f2fcae2a5f39ec97901f9da4e1df92c3015a230a483544514119ad3baaddfdb8500b8eb374018b01afb157d92b50fadd3e5713ccaaf96a32c935d1