Analysis Overview
SHA256
5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a
Threat Level: Known bad
The file 5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a was found to be: Known bad.
Malicious Activity Summary
Cosmu
Cosmu family
Detects Cosmu payload
Renames multiple (5202) files with added filename extension
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-29 10:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-29 10:02
Reported
2025-05-29 10:05
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
135s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Renames multiple (5202) files with added filename extension
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-timezone-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework-SystemXmlLinq.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSPPT.OLB.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\flavormap.properties.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Exchange.WebServices.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\jdwp.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\hi.txt.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\System\ado\adovbs.inc.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationNative_cor3.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\include\jni.h.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART4.BDR.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Tec.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Primitives.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Encoding.CodePages.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Trial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-processthreads-l1-1-1.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-process-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Globalization.Extensions.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.Primitives.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\msdasql.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\UIAutomationClientSideProviders.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\133.0.6943.60\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.cat.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\UIAutomationTypes.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe
"C:\Users\Admin\AppData\Local\Temp\5060933ed96daca096e2f3b275e56b47049d818b84d065c182683c251c725b5a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-3623617754-4043701611-775564599-1000\desktop.ini.tmp
| MD5 | 95c226bf8baab79f9062651c7e7a93e3 |
| SHA1 | 9b9151b72648110516fd4a018393e44f7e004594 |
| SHA256 | 8df730a240d258df2e2bb8ac526ba968a566aeeba22b8e706f4e6777717bf357 |
| SHA512 | e58d7c384b1786f11dda30a638b561fd4cbae6577256ff0e06ea4624881dbe21558d246c7df46fdda2d878e97c8496c2a57839d99f89ff595aebaa1fe5cef307 |
C:\b96a7bef2438b67e1aee\2010_x86.log.html.tmp
| MD5 | 7a36c1763cfcd435eda7df56729128bf |
| SHA1 | a745748672668006525058ea11d8d56dca61821b |
| SHA256 | ca1c9758ed7a46715f81f9f2399eb66b835923a846b8f6fb0e789081f26be16e |
| SHA512 | 143c557b2b1c599ea5f84acd33a1263320fa99c84224fc9f707b2412d740e887ab974c3799b57d3da548321839d402af577a1a390811b015a9f4fa6adf832d88 |
memory/3820-799-0x0000000000400000-0x0000000000407000-memory.dmp