Malware Analysis Report

2025-06-16 06:24

Sample ID 250605-j7eeyavks3
Target 11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8
SHA256 11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8

Threat Level: Known bad

The file 11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Cosmu family

Detects Cosmu payload

Renames multiple (5306) files with added filename extension

Renames multiple (5205) files with added filename extension

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-05 08:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5205) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\EssentialResume.dotx.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwresplm.dat.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\clrgc.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DirectWriteForwarder.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.WindowsDesktop.App.deps.json.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\te.pak.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\coreclr.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\PrivacySandboxAttestationsPreloaded\manifest.json.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_COL.HXC.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEX.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\cs\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Emit.Lightweight.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Storage.XmlSerializers.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\Services\verisign.bmp.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.ProtectedData.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\colorimaging.md.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe

"C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp

MD5 4925797e22222ae856fe0bf3ba5dc4a3
SHA1 d5de644b41d108d756192626e2866b2a46238e30
SHA256 22b48e035c55d576f19faf735c157e2fb019a8a0e338dbe3c6001469a66432ff
SHA512 55334399812c3163919e98b81bcce1c5aa7ca8f23082e018b473a75ce99962882c8fbea32ec972c7f0e25560178d786e3f4a2296c7192cee0890715a6edcd3e3

C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp

MD5 72d468cdd03c59512884da95f81b84d1
SHA1 922dc4c09c20e58bfb3663e72bc09f5ea7d6fd3b
SHA256 fbde055378ef113082bb951c4eb05a63d6e957ad6aefad4ec46698c1b90b54c7
SHA512 0cf4b683c8a45776e54a322c8f7efccce077838bd22ef1caa687fcf6f5288f9a04741d0d531f32bb626f2058399d545fb17dc5796755f4ac2a5567817a8c65ab

memory/4792-801-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-05 08:18

Reported

2025-06-05 08:20

Platform

win11-20250502-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5306) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngcc.md.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2native.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSJH.TTC.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-environment-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSAN.TTF.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XmlDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OSF.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Transactions.Local.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.IO.Packaging.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\AUTHOR.XSL.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\meta-index.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_Grace-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\System\ado\msado20.tlb.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javapackager.exe.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\WindowsBase.dll.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe

"C:\Users\Admin\AppData\Local\Temp\11e007332adab7424f3a426adc7480052bdd01f1de0eb110d8a07059abfc78c8.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-779059454-4269757009-3780780039-1000\desktop.ini.tmp

MD5 5aff50154337d1c17835b33c8cb0162f
SHA1 0a13fc6e220a1a9bb4ca0704e5b6661a3c90dc9b
SHA256 aeafc97ded153e5b5a4a2fe9b6261dc067d7893a482b4446603bb1abb38665c1
SHA512 66a4421215e6b9c2372d7b51c5de3f0895bba79bcc9f024b5d10995213143691180c6c3adae496c350395ad1b606ca606d86b5ad6d670c5bf113f4ef29f949ac

C:\e62b36dd3cccbd0b2c8aefa1fa8db0\2010_x86.log.html.tmp

MD5 0ff8f9f71dd8c605ee02b30eaa384f26
SHA1 ea4be040eb6a05fe3995d0c2ede5ead0808a8fb8
SHA256 a71a5ce73fab8e6b0807e58cff1b48cd84d9efdc3045fa82a0a29dd694b23cae
SHA512 bf4e4d7d64aa713532517ae8a874dfa9c4b32e3c1359a5a233a5fc5fa5eb0472d215971eaf82858bc7d10bc7ca6a1baf63296b8330857a445f47a403c6782ad9

memory/2824-1233-0x0000000000400000-0x0000000000407000-memory.dmp