Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-l3p2zszrt8
Target 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875
SHA256 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875
Tags
cosmu discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875

Threat Level: Known bad

The file 6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875 was found to be: Known bad.

Malicious Activity Summary

cosmu discovery ransomware worm

Cosmu

Detects Cosmu payload

Cosmu family

Renames multiple (5356) files with added filename extension

Renames multiple (5250) files with added filename extension

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:03

Reported

2025-05-29 10:06

Platform

win11-20250502-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5356) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\TextConversionModule.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationCore.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office32mui.msi.16.en-us.boot.tree.dat.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\DESIGNER.ONE.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\rmid.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems64.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.GRAPH.16.1033.hxn.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\System\ado\msader15.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.Tools.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-stdio-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.ReportingServices.DataExtensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\WordCombinedFloatieModel.bin.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sk-SK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\PresentationFramework.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA0009.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\AssertSync.M2V.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\dom.md.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\jp2ssv.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\GRINTL32.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sqmapi.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\csi.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pt-BR\System.Windows.Controls.Ribbon.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe

"C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"

Network

Files

C:\$Recycle.Bin\S-1-5-21-1245416451-815278583-4285364870-1000\desktop.ini.tmp

MD5 9edb7b55889bcb87634133136dda12bc
SHA1 ccffceefc1f902216ce199b3ec963efb8c666ce6
SHA256 10f9bcc7d393f20f58b87265f195ff4e9d3d67e83e6c65a2dc6d0672b456e5d3
SHA512 1dac5cfaafc6877be8e9cea1a7f09eea240ba8d6d5e75540f8b9aff5ecfe4c7e6466ebbe79835398c99a2ee072de54a90b24ea5aabd2380284dc35f83f841a63

C:\09888c3fc6bdc8a345f7\2010_x64.log.html.tmp

MD5 bb5edc415890069cf64d115e990aa1ee
SHA1 01d81d6a425817a106081e82842cfe2215221ef7
SHA256 552c54dc84984a101178558aec24302e40ca23b441b76e9018a07701e24b130f
SHA512 fa86fce81fd92a0137d57d4060d7cbfcf73b149bd60abb1b4574aafc154b2289f7f7137d18eeb85a6ae6dc0317eca3c0f572cc098332a4484c3b368409a8962e

memory/5248-1215-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:03

Reported

2025-05-29 10:06

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"

Signatures

Cosmu

worm cosmu

Cosmu family

cosmu

Detects Cosmu payload

Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (5250) files with added filename extension

ransomware

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.AppContext.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-datetime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiItalic.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Presentation.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\invalid32x32.gif.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalDemoR_BypassTrial180-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationClient.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Gallery.thmx.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest4-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clretwrc.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_KMS_ClientC2R-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.OLE.Interop.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\Microsoft.VisualBasic.Forms.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\fr\UIAutomationTypes.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\javafx-mx.jar.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.CompilerServices.Unsafe.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemXml.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-file-l2-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_TW.properties.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.tmp C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe

"C:\Users\Admin\AppData\Local\Temp\6ec27ecc5b8e841cf3b244cbc1502da80f00f62f345ea4f450a0648aaf627875.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

C:\$Recycle.Bin\S-1-5-21-3299287909-2279959458-198972791-1000\desktop.ini.tmp

MD5 bf697859ee0b7caf586d317b455f842e
SHA1 15c6fc534aad697edd2487639ce3521cd5b494f2
SHA256 2c1dbb1c190e1ad13016071a10731953c9e95e20fadd07cef2ff3bb77ed07d8f
SHA512 753c7c8d52c128ba52d9581559b10ecf7e033366604e9f0c9f0d10f0412a2440d59c96cc20aedacd1436a7012e09f777e79236e4e45f2fded5e140b4bd6c2bfe

C:\8e056885788215100b95f8050bba49\2010_x64.log.html.tmp

MD5 6cb08c89b3b2d6547dfbfd18fd5211b0
SHA1 11866ef40e2d5b4c20d97423612303a34c4eaddc
SHA256 62ff55ae2d9f2ed6c0b41c80a38ed2e3d5416882ae1b45ae75e89cc774175149
SHA512 22ffde0307e9dc66264ef4c21005442ee51fd0dca16cbcb0b1cd44c2bd4c641717d4b2e6b8450566980f3d9a4f58e81ae00d4b88e62c5ca1022dee5f1d18637f

memory/1912-801-0x0000000000400000-0x0000000000407000-memory.dmp