Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5j8eavjz2
Target c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132
SHA256 c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132

Threat Level: Known bad

The file c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (5105) files with added filename extension

Renames multiple (5188) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:15

Signatures

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5105) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\msvcp120.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\nl-NL\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\npt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\lcms.md.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\msgrammar8.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.QueryDesigners.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\WindowsFormsIntegration.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\System\msadc\msadcor.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.fr-fr.msi.16.fr-fr.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\zipfs.jar.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe

"C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3342576763-1998465526-3870295501-1000\desktop.ini.tmp

MD5 cf173ad08921514581161aa1f4a80066
SHA1 1da90abb340a6221e95bc341bbf48993b0eccfbf
SHA256 79559197d7fb8459ab5ce16c2b4434f50bd97c93466a7c93407b03375d3d6cbb
SHA512 13f4a92a8701a5893a2d13cfd10af95dbd5758d78e691845e700a2ec84f06f2ddba090bc54983c5ed297474c6b5029c4c9eece7dcc9a65728c044679fa795449

C:\fa79de221d524b769d0447\2010_x64.log.html.tmp

MD5 edc42ae95460840fa4f3f0c674f17641
SHA1 ca2ca9e08491bf54100bacf43221fd89d5be7e75
SHA256 9ba785fddbc4feb4d8fb40acc257016d7c8219c20b1a0fa7dc0440878e6f7c0c
SHA512 05c2f094fe9f22d4a4b7b8dc37281b3e09198258a18fede49d0542059a8d9a71ade559413d58fdfed6f56dbec5eadb952d4a893d012be3f0d0867910dc93ba57

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win11-20250502-en

Max time kernel

150s

Max time network

109s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (5188) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\images\bing.ico.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\net.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Top Shadow.eftx.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-handle-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\DBGHELP.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\accessibility.properties.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-xstate-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLINTL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART6.BDR.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\fi\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VVIEWER.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Csp.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.27 (x64).swidtag.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\office.core.operational.js.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\manifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe

"C:\Users\Admin\AppData\Local\Temp\c284bfd70aad3207fc289531fb05cda5d8154d3624718b7db91fac6569a60132.exe"

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp

Files

C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

MD5 b79608a79f837f0e2c33664dac26e9d1
SHA1 6e970be973742adbc0bb7854d973c34976eff9b0
SHA256 86745d8603850d6fff887ff755a9546e8ef2f944b582b3f7178f461ce8716ad5
SHA512 d8c93cf3dc2c408c7d32733fe63060ed67b230fa947dcad27f662a66e80ecc8477b0db5cf2abdf213f7d0dcce9bda59f5d474f83f5562c4794603db71392b6a3

C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

MD5 2cdb0545abb1518fcd39ad32933fc790
SHA1 5f7c792a29297c756469d5c2790edfa9344a4caf
SHA256 284f0aa604f724e68c3c7029680884856f5078828971bf2998e582766ea0cadb
SHA512 cfad57ce1c4861418a5cb76b99ef9c3493e71eb8eeaf5100b149473394edd118a2536e7ecec14e3b3c6f34cdea184f6c7423f41857d501e172239ed1e486ba2a