Analysis Overview
SHA256
65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52
Threat Level: Known bad
The file 65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52 was found to be: Known bad.
Malicious Activity Summary
Cosmu family
Detects Cosmu payload
Cosmu
Renames multiple (4839) files with added filename extension
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-29 11:58
Signatures
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-29 11:58
Reported
2025-05-29 12:01
Platform
win10v2004-20250502-en
Max time kernel
149s
Max time network
137s
Command Line
Signatures
Cosmu
Cosmu family
Detects Cosmu payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Renames multiple (4839) files with added filename extension
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\Office16\ExcelInterProviderRanker.bin.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\msdasqlr.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\fonts\LucidaSansDemiBold.ttf.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Security.Cryptography.ProtectedData.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.Primitives.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8.mp4.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription5-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Internet Explorer\SIGNUP\install.ins.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\legal\jdk\joni.md.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\security\java.security.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-phn.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019DemoR_BypassTrial180-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019DemoR_BypassTrial180-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Excel.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.deps.json.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.AccessControl.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Security.Cryptography.Primitives.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\ReachFramework.resources.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Office.PowerPivot.ExcelAddIn.tlb.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ONBttnIE.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-string-l1-1-0.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\legal\jdk\jopt-simple.md.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_KMS_Client-ul.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTest-pl.xrm-ms.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\meta-index.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Collections.Concurrent.dll.tmp | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe
"C:\Users\Admin\AppData\Local\Temp\65349d39466a2429eb00219c14c4458691f35198423b5e6ee268eaeefb2e0c52.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 142.250.27.94:80 | c.pki.goog | tcp |
Files
C:\$Recycle.Bin\S-1-5-21-2930597513-779029253-718817275-1000\desktop.ini.tmp
| MD5 | 525c7210e41d12f93150a23cba336bc0 |
| SHA1 | cfc27b79b5f38e1f75dba9d4bce9a1953b165ca5 |
| SHA256 | f05c9246dc809a7a1e0d7aab3ffc3079bcb154b8c3b95feaf6950eead92c8179 |
| SHA512 | efadbba0abebe80d5a8d62e2509b6ac259c3fac04082f9e7f6310b861bc98bfb9c6cdb0905be3015218ff5840c46a7ec2562c56b16535c3690dcc9dc7e9eed21 |
C:\6479eedf55783993fe56765264\2010_x86.log.html.tmp
| MD5 | 19bef3ecc2afc72fc919a9410bdc2c17 |
| SHA1 | 2269faa31c0b323db620031cd2edfe5bdde278a2 |
| SHA256 | 8ba8e187f2e47ee8da7dc8158237c23956ad21368099d9490f96c98e1b81f975 |
| SHA512 | 76a542dbd3840fee67acf487ed9391ca720ce8ba07634cf1d06f561cbbd05e87a9378145a0b306587af97d02538d3bcfef9768b30bd4c7a36f341e1c89ba9163 |