Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j5p4natyex
Target c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567
SHA256 c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567

Threat Level: Known bad

The file c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5360) files with added filename extension

Renames multiple (5294) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5294) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriLI.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\openssl64.dlla.manifest.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Royale.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART10.BDR.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\Logo.png.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\release.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe.manifest.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\JUICE___.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msxactps.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.Query.NetFX35.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\hu.pak.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\centered.dotx.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\otkloadr_x64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XLCALL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\fonts\LucidaTypewriterBold.ttf.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encodings.Web.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe

"C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-343936533-1262634978-1863872812-1000\desktop.ini.tmp

MD5 b8b1585f1780b126434140353bda7a5c
SHA1 02851ca17a0d85bd9ff39d92907ff3053a6a6163
SHA256 4951bd9557d1e2459c9f8bb3d994eebbd9674bb2a7a683a42181e9f35ee0909e
SHA512 f59d9bd02d0832894c8b183762e50428cd8d3343488c3120744f469d39ee68e045370ae06bde2a53ea757c4e22072fc7d2685a2e99741c8be5c5f74b778817c5

C:\f21fae8705b262c53286e8\2010_x86.log.html.tmp

MD5 7e171def1b4dab9a8dc130ae2aa27c73
SHA1 d7475ee7db05e9e0d1d688045cee3222d8643fea
SHA256 3aee13d099da089d27e9a5724b13449970b70f70ced7824a7304b61cbdc1c7f9
SHA512 0e310096c5e1e3560c891c0286d83a0080cfbf41fe554b2059f5deb9dff7000479505dc36e2bee6fc0e503fc3cf625964cf83e03059924ae714f36e2318f2ede

memory/3604-807-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:15

Reported

2025-06-05 08:17

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5360) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\it.pak.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyDrop32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\jaas_nt.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.DocumentServices.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\excelcnvpxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OFFSYMSL.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.DiaSymReader.Native.amd64.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ca-ES\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordbi.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WORDICON.EXE.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\MSO20SKYPEWIN32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\TecProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe

"C:\Users\Admin\AppData\Local\Temp\c3836316a31a4634f5c54d66fe14d38a8e0b533079ba19f0ff0ae9d5d1f26567.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-330179853-1108322181-418488014-1000\desktop.ini.tmp

MD5 bc59df5742c57d9911cb0e33c090f02f
SHA1 24cacc0b2dac4d1bf3de504e4f13e38eb91b9e30
SHA256 81a14cbffb905eb5781f81d0482971c43f3e89f9f55e267ec3e63b05ff01fa72
SHA512 27d545fad97dee151fa58694cd3c36bf17c7639aae0a1ac9e4ea56d5f884cb666b5b128d69104b5c0bbeb1a23dcaab983d8acb4080fa4bb7eddca1a549d59384

C:\b5678467481f56688dc2ce816954\2010_x86.log.html.tmp

MD5 6b31ea2cf7250c4d43497a88bc5c61bf
SHA1 f262d989dee2ec9f7056b47307408c4c08914a26
SHA256 a31f1920805be6622c937bc30076917589c875c6b9002256ed674d39d8288297
SHA512 0bf81ea5caaa705df4704be3b343cb457edbb2303af08995c18944e1fa9c0b089b90dc55e5bc38d4a5f1ebc676e4585d52857b15cd249bb1fd640e7ba8b9850b

memory/2992-1219-0x0000000000400000-0x0000000000407000-memory.dmp