Malware Analysis Report

2025-08-05 14:40

Sample ID 250703-f418ravlt4
Target 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100
SHA256 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100

Threat Level: Known bad

The file 734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu family

Detects Cosmu payload

Cosmu

Renames multiple (1254) files with added filename extension

Renames multiple (1181) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-03 05:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:28

Platform

win10v2004-20250619-en

Max time kernel

150s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (1181) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\hy.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Resources.Reader.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Intrinsics.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\mshwjpn.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.X509Certificates.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\vstoee100.tlb.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Globalization.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Pipes.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\hostpolicy.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\dbgshim.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Text.Encoding.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Xml.XDocument.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe

"C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3008489981-1977616533-741913813-1000\desktop.ini.tmp

MD5 b3798da8d652e5abd67f4a47de1d8d30
SHA1 c67cc357508c51692e42915f7c492eb7ab4b71dc
SHA256 0ca5455aa5435ed0806ea7658d975168d0ed2342d9b5cb088b1a8f8a2f51efae
SHA512 b508c911cf23a20b19e06bdfa77d3cf3e15164eb5ccdee04071d5bdb4898445d7f22f3a25ff81dd67932125b45c01a94f582ab37b3502a861c318468101cdb49

C:\84738cc25964774ab2d2ce2181\2010_x86.log.html.tmp

MD5 513200a24fcd3b379564cbb202af6ba0
SHA1 77349684c999a6ec55c9444525baaf8fc0f3767e
SHA256 cb4fc575e4edc6d44b39ebcba71f7ad2429a2b4ffbdba31a53e637f29950e0fe
SHA512 f197b6ec1edd1186c1162e2696e732af56713c7ab6925bf15f0191936ab3effab51a5a6e7811607b6c9c1e42ab4ff2c60987c58fd796bbca1db556ee5f8cd177

memory/1932-247-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-03 05:26

Reported

2025-07-03 05:28

Platform

win11-20250619-en

Max time kernel

150s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (1254) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\ado\msado60.tlb.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\D3DCompiler_47_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Process.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ug.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.AccessControl.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Xml.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.DispatchProxy.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Windows.Input.Manipulations.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\id-ID\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Dynamic.Runtime.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\System.Windows.Forms.Primitives.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\LICENSE.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-errorhandling-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Tasks.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\7-Zip\Lang\tr.txt.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\Common Files\System\ado\msadox.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.Win32.Registry.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe

"C:\Users\Admin\AppData\Local\Temp\734547048714965a108464aa5a4a1b3af1fed4243bc5d0c68e8e3a2258682100.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-707770698-2523217751-1187874351-1000\desktop.ini.tmp

MD5 08e447a906cfed771b04fc118a6923a2
SHA1 58e7697cccd1131b7ad930746df8ee581cd920dd
SHA256 a678739fe052917df4f4ad12f9c879053cae85b77ddd6f549be97776741843cb
SHA512 bcca4d387d6eebba8feec795c42e8d32fc2f4730a244d9159576d70cd667e357c5e624fa615cf7f5841efb09d29e6cc643fa4a962f332ee703e6ba61eacdadbf

C:\7219690d69d70c9cdaab3c\2010_x86.log.html.tmp

MD5 c8f052cc9ce813468607dd5633b81613
SHA1 1e4a6e8c854f1a02b9d737e405c71a7462ffab72
SHA256 b6ab2a23ecb6d677417878a13619cc5b4f5a55c7d21be3d91ed6b7a356889921
SHA512 854545c03ea16a999df57f4963fa1e825a507c30bc047dd67a9b3b9ef4a7ffdf059227d0f97ac59e0e32588b92ebb6d185cde02e9756a8ff27f3f51b540a7e6a

memory/5520-241-0x0000000000400000-0x0000000000407000-memory.dmp