Analysis
-
max time kernel
507s -
max time network
506s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2024, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
Cosmos_InstallerLast.msi
Resource
win10v2004-20240226-en
General
-
Target
Cosmos_InstallerLast.msi
-
Size
41.3MB
-
MD5
3557dec4b3425f3a4337842267e97413
-
SHA1
2570810596dbf2f4930164ab7ebf1309c5f57230
-
SHA256
0899b99992e6f8143ad1c51ed422ca64ae309e5663fc3e3d38504c2e45576a93
-
SHA512
e2c8e4b97f8a8b98725e2d09dd1ac81948a822c4c8aba4b974e79b22bd6b4662cf87f374131f089f44fed7e2ca541205397b879c496d466f7879caf5466d8fac
-
SSDEEP
786432:XHM8SkQIgNNR+uDfVoJhFl/zPCdi3uS+5ep2NaKDXyMQKHktsI8z8/fiC/JcJVsU:XHM8SkeNvbDfVoJzl/zP13TS78KDXyMl
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} = "\"C:\\ProgramData\\Package Cache\\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\\windowsdesktop-runtime-7.0.17-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-7.0.17-win-x64.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation windowsdesktop-runtime-7.0.17-win-x64.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation CosmosApp.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation CosmosApp.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation CosmosApp.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation CosmosApp.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation CosmosApp.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk PowerShell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.17 (x64).swidtag windowsdesktop-runtime-7.0.17-win-x64.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Text.Encoding.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.Immutable.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.IO.Pipes.AccessControl.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.Handles.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Cryptography.Cng.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.ValueTuple.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Diagnostics.TextWriterTraceListener.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\tr\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Web.HttpUtility.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\PresentationFramework.Luna.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Private.CoreLib.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ko\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.ComponentModel.Annotations.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ko\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.WebProxy.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\mscorrc.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\PenImc_cor3.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.Serialization.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.Concurrent.dll msiexec.exe File created C:\Program Files\dotnet\host\fxr\7.0.17\hostfxr.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\fr\WindowsBase.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.Sockets.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Threading.Timer.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Transactions.dll msiexec.exe File created C:\Program Files\dotnet\ThirdPartyNotices.txt msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\WindowsBase.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.CompilerServices.Unsafe.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Principal.Windows.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Cryptography.Encoding.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Windows.Forms.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Windows.Input.Manipulations.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\es\System.Windows.Forms.Design.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Numerics.Vectors.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\cs\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\it\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Windows.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Globalization.Calendars.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\cs\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Drawing.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.NonGeneric.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Console.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pl\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ru\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.IO.Compression.Brotli.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.WebHeaderCollection.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\WindowsBase.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\WindowsBase.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\WindowsFormsIntegration.resources.dll msiexec.exe -
Drops file in Windows directory 47 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{A638EFAE-5229-46A8-9A18-D0FF9D9827D2} msiexec.exe File opened for modification C:\Windows\Installer\MSI78DC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7A73.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI82A4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI962E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI4BAD.tmp msiexec.exe File created C:\Windows\Installer\{462818AD-0C27-419A-9271-68FF4B52279A}\Cosmos_V1_PSD.exe msiexec.exe File opened for modification C:\Windows\Installer\{462818AD-0C27-419A-9271-68FF4B52279A}\Cosmos_V1_PSD.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI664B.tmp msiexec.exe File created C:\Windows\Installer\e598a1e.msi msiexec.exe File opened for modification C:\Windows\Installer\e598a1e.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165 msiexec.exe File opened for modification C:\Windows\Installer\MSI8003.tmp msiexec.exe File created C:\Windows\Installer\e598a29.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI937C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6D3.tmp msiexec.exe File opened for modification C:\Windows\Installer\e598a19.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI50AF.tmp msiexec.exe File created C:\Windows\Installer\e598a1d.msi msiexec.exe File created C:\Windows\Installer\SourceHash{089B0F2C-87D9-4470-B6E6-154DD6961C56} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI9797.tmp msiexec.exe File created C:\Windows\Installer\e598a18.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI760C.tmp msiexec.exe File created C:\Windows\Installer\e598a22.msi msiexec.exe File created C:\Windows\Installer\e598a28.msi msiexec.exe File created C:\Windows\Installer\SourceHash{93812F65-BAA9-42E0-AF19-F15F39A92E3C} msiexec.exe File created C:\Windows\Installer\e598a16.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI94F4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D41.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7DDF.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI95A1.tmp msiexec.exe File created C:\Windows\Installer\e598a19.msi msiexec.exe File created C:\Windows\Installer\e598a23.msi msiexec.exe File opened for modification C:\Windows\Installer\e598a29.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8B8E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{462818AD-0C27-419A-9271-68FF4B52279A} msiexec.exe File created C:\Windows\Installer\SourceHash{6B4D3428-4800-446B-971F-62A7377F06F6} msiexec.exe File opened for modification C:\Windows\Installer\e598a23.msi msiexec.exe File created C:\Windows\Installer\e598a2d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA60D.tmp msiexec.exe File opened for modification C:\Windows\Installer\e598a16.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 10 IoCs
pid Process 3684 CosmosApp.exe 4620 CosmosApp.exe 1792 windowsdesktop-runtime-7.0.17-win-x64.exe 4196 windowsdesktop-runtime-7.0.17-win-x64.exe 1616 windowsdesktop-runtime-7.0.17-win-x64.exe 1924 CosmosApp.exe 3080 CosmosApp.exe 3792 CosmosApp.exe 712 CosmosApp.exe 1152 CosmosApp.exe -
Loads dropped DLL 64 IoCs
pid Process 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 4068 MsiExec.exe 4068 MsiExec.exe 4068 MsiExec.exe 4068 MsiExec.exe 4068 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 232 MsiExec.exe 4196 windowsdesktop-runtime-7.0.17-win-x64.exe 1096 MsiExec.exe 1096 MsiExec.exe 4840 MsiExec.exe 4840 MsiExec.exe 2448 MsiExec.exe 2448 MsiExec.exe 4548 MsiExec.exe 4548 MsiExec.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe 1924 CosmosApp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors CosmosApp.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors CosmosApp.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors CosmosApp.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors CosmosApp.exe Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors CosmosApp.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} windowsdesktop-runtime-7.0.17-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\56F218399AAB0E24FA911FF5939AE2C3\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64\ = "{A638EFAE-5229-46A8-9A18-D0FF9D9827D2}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Version = "943990904" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\PackageCode = "50281206D11C96543A9F78E2A26DBD6C" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D7BDF8162D15FAB6F8D7D17A868D0E24\8243D4B60084B64479F1267A73F7606F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\ProductName = "Cosmos" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.68.10379_x64\Version = "56.68.10379" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\Version = "7.0.17.33416" windowsdesktop-runtime-7.0.17-win-x64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\PackageName = "dotnet-hostfxr-7.0.17-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} windowsdesktop-runtime-7.0.17-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5993C192D5D5A16615C73BE6C2403B07 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DA81826472C0A914291786FFB42572A9\C63A5E8718343189D035A252D1450C5 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} windowsdesktop-runtime-7.0.17-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64 windowsdesktop-runtime-7.0.17-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8243D4B60084B64479F1267A73F7606F\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.68.10379_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} windowsdesktop-runtime-7.0.17-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8243D4B60084B64479F1267A73F7606F\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\Version = "83951618" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\PackageName = "Cosmos_InstallerLast.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64\Dependents windowsdesktop-runtime-7.0.17-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{089B0F2C-87D9-4470-B6E6-154DD6961C56}v56.68.10360\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64 windowsdesktop-runtime-7.0.17-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64\Version = "56.68.10360" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\56F218399AAB0E24FA911FF5939AE2C3\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Version = "943990923" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5993C192D5D5A16615C73BE6C2403B07\56F218399AAB0E24FA911FF5939AE2C3 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EAFE836A92258A64A9810DFFD989722D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0CDC6D012275297408FC47E8F4FA7EDB\EAFE836A92258A64A9810DFFD989722D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\ProductName = "Microsoft .NET Host FX Resolver - 7.0.17 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList\PackageName = "dotnet-runtime-7.0.17-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64 windowsdesktop-runtime-7.0.17-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C2F0B9809D7807446B6E51D46D69C165\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\ProductName = "Microsoft Windows Desktop Runtime - 7.0.17 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\PackageName = "windowsdesktop-runtime-7.0.17-win-x64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{93812F65-BAA9-42E0-AF19-F15F39A92E3C}v56.68.10379\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DA81826472C0A914291786FFB42572A9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList\PackageName = "dotnet-host-7.0.17-win-x64.msi" msiexec.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 917679.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2692 Notepad.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4484 msiexec.exe 4484 msiexec.exe 4928 msedge.exe 4928 msedge.exe 4452 msedge.exe 4452 msedge.exe 1676 identity_helper.exe 1676 identity_helper.exe 2280 msedge.exe 2280 msedge.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4484 msiexec.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 4820 msedge.exe 2296 PowerShell.exe 2296 PowerShell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4848 msiexec.exe Token: SeIncreaseQuotaPrivilege 4848 msiexec.exe Token: SeSecurityPrivilege 4484 msiexec.exe Token: SeCreateTokenPrivilege 4848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4848 msiexec.exe Token: SeLockMemoryPrivilege 4848 msiexec.exe Token: SeIncreaseQuotaPrivilege 4848 msiexec.exe Token: SeMachineAccountPrivilege 4848 msiexec.exe Token: SeTcbPrivilege 4848 msiexec.exe Token: SeSecurityPrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeLoadDriverPrivilege 4848 msiexec.exe Token: SeSystemProfilePrivilege 4848 msiexec.exe Token: SeSystemtimePrivilege 4848 msiexec.exe Token: SeProfSingleProcessPrivilege 4848 msiexec.exe Token: SeIncBasePriorityPrivilege 4848 msiexec.exe Token: SeCreatePagefilePrivilege 4848 msiexec.exe Token: SeCreatePermanentPrivilege 4848 msiexec.exe Token: SeBackupPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeShutdownPrivilege 4848 msiexec.exe Token: SeDebugPrivilege 4848 msiexec.exe Token: SeAuditPrivilege 4848 msiexec.exe Token: SeSystemEnvironmentPrivilege 4848 msiexec.exe Token: SeChangeNotifyPrivilege 4848 msiexec.exe Token: SeRemoteShutdownPrivilege 4848 msiexec.exe Token: SeUndockPrivilege 4848 msiexec.exe Token: SeSyncAgentPrivilege 4848 msiexec.exe Token: SeEnableDelegationPrivilege 4848 msiexec.exe Token: SeManageVolumePrivilege 4848 msiexec.exe Token: SeImpersonatePrivilege 4848 msiexec.exe Token: SeCreateGlobalPrivilege 4848 msiexec.exe Token: SeCreateTokenPrivilege 4848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4848 msiexec.exe Token: SeLockMemoryPrivilege 4848 msiexec.exe Token: SeIncreaseQuotaPrivilege 4848 msiexec.exe Token: SeMachineAccountPrivilege 4848 msiexec.exe Token: SeTcbPrivilege 4848 msiexec.exe Token: SeSecurityPrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeLoadDriverPrivilege 4848 msiexec.exe Token: SeSystemProfilePrivilege 4848 msiexec.exe Token: SeSystemtimePrivilege 4848 msiexec.exe Token: SeProfSingleProcessPrivilege 4848 msiexec.exe Token: SeIncBasePriorityPrivilege 4848 msiexec.exe Token: SeCreatePagefilePrivilege 4848 msiexec.exe Token: SeCreatePermanentPrivilege 4848 msiexec.exe Token: SeBackupPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeShutdownPrivilege 4848 msiexec.exe Token: SeDebugPrivilege 4848 msiexec.exe Token: SeAuditPrivilege 4848 msiexec.exe Token: SeSystemEnvironmentPrivilege 4848 msiexec.exe Token: SeChangeNotifyPrivilege 4848 msiexec.exe Token: SeRemoteShutdownPrivilege 4848 msiexec.exe Token: SeUndockPrivilege 4848 msiexec.exe Token: SeSyncAgentPrivilege 4848 msiexec.exe Token: SeEnableDelegationPrivilege 4848 msiexec.exe Token: SeManageVolumePrivilege 4848 msiexec.exe Token: SeImpersonatePrivilege 4848 msiexec.exe Token: SeCreateGlobalPrivilege 4848 msiexec.exe Token: SeCreateTokenPrivilege 4848 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4848 msiexec.exe Token: SeLockMemoryPrivilege 4848 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4848 msiexec.exe 4848 msiexec.exe 4848 msiexec.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4484 wrote to memory of 232 4484 msiexec.exe 87 PID 4484 wrote to memory of 232 4484 msiexec.exe 87 PID 4484 wrote to memory of 232 4484 msiexec.exe 87 PID 4484 wrote to memory of 5028 4484 msiexec.exe 102 PID 4484 wrote to memory of 5028 4484 msiexec.exe 102 PID 4484 wrote to memory of 4068 4484 msiexec.exe 104 PID 4484 wrote to memory of 4068 4484 msiexec.exe 104 PID 4484 wrote to memory of 4068 4484 msiexec.exe 104 PID 4620 wrote to memory of 4928 4620 CosmosApp.exe 109 PID 4620 wrote to memory of 4928 4620 CosmosApp.exe 109 PID 4928 wrote to memory of 368 4928 msedge.exe 110 PID 4928 wrote to memory of 368 4928 msedge.exe 110 PID 3684 wrote to memory of 2836 3684 CosmosApp.exe 111 PID 3684 wrote to memory of 2836 3684 CosmosApp.exe 111 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 264 4928 msedge.exe 112 PID 4928 wrote to memory of 4452 4928 msedge.exe 113 PID 4928 wrote to memory of 4452 4928 msedge.exe 113 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 PID 4928 wrote to memory of 4408 4928 msedge.exe 114 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cosmos_InstallerLast.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4848
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FAE0E98D217D45BC5C5DC402B480CA97 C2⤵
- Loads dropped DLL
PID:232
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5028
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AEFC417AC85B5DE0F67270B3ACD7EA052⤵
- Loads dropped DLL
PID:4068
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DEC0B834F856A9339A1A6C91A89603A92⤵
- Loads dropped DLL
PID:1096
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2274EEF7CA2C17997561ADC82FE23CF52⤵
- Loads dropped DLL
PID:4840
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C17B143B364C721F0F0E4CAC8164E5B02⤵
- Loads dropped DLL
PID:2448
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 702B882CD6DB8C3BDEC66800B91186BA2⤵
- Loads dropped DLL
PID:4548
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3604
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\MountConvertFrom.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2692
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true2⤵PID:2836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc75b46f8,0x7fffc75b4708,0x7fffc75b47183⤵PID:1472
-
-
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc75b46f8,0x7fffc75b4708,0x7fffc75b47183⤵PID:368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵PID:264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:83⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:13⤵PID:820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:13⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:13⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:83⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:13⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:13⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:13⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:83⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:13⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:13⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:83⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:13⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:13⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe"3⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe"C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=6884⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4196 -
C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe"C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe" -q -burn.elevated BurnPipe.{957F01FD-3E27-4C1F-A57F-DCB67D3DEACE} {875014C8-22FE-45C9-B4AB-07F35121AF3C} 41965⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
PID:1616
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3588 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1616
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3528
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Control Panel
PID:1924
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:3080
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2296 -
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet.exe" .\CosmosApp.dll2⤵PID:2680
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:3792
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3760
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:712
-
C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies Control Panel
PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50KB
MD50741afabefacd0339e4d21b545d8280e
SHA1cc7777d43faf3fb6f707bd46cec4b78121279473
SHA2562a5bfc4d88d4a040b10a7736d95c1eb255ef7454b58da12a1473e659ad691c22
SHA512ac22991b9b674c7fcd20c78f0cb577689be2becabc0be644ee2635d25d304fe2a4ef34c510249d94762cdb8c3bf7b0084159ec986327ec83349c5ae83d08bdd2
-
Filesize
48KB
MD57c95941440a143ed169f710e7173ab97
SHA127138440f6cdec99c8dfee83a515c4e402eaabfb
SHA2569094fd7f58ac9b363d2ea10bd17b93177d72959178b4c15c3d083155bf05e2dc
SHA5129c0b1c7f0b7c2ecd9581216bd73e185bd444b02b032e735b4a8467eca2d0f1a5aaca5fb4c64f1052b7bf872a4e7be708ecacbd2c2ecdeb3a6203e93dae2a76c9
-
Filesize
9KB
MD50f5aeaf257ec11231913b35585890f8d
SHA1c16a3d8362d504b67e0260e188b76a098ed2ca29
SHA256c761437b86880e74eb708b37408a8c876e48979b198ac634a444d8cba8655d82
SHA512c8bcf911de3480aed158a0936e8e4dae4944fd2d58fbb45d4b89f855d9db03e485c2c4af79a1c7b5abe296d6765bf8f371dbe2dc06b7a04698c553311266fb4c
-
Filesize
10KB
MD56cb1384a5b184e2f10ba259bdb77a871
SHA16d7b8f581047b3b7e70a6dbd3edae0948fb98545
SHA2562b345c80bb9d2ee07179b7f7434d362485453c12259cd49f4a01f6ae564e249c
SHA5122b4bd4da313bc1605c216406ebb285bee595e6ed0856f34b5cc9fc3fda15d6d25fed6a70e79de2f4f894e5c1ec48af62c440f1adc597f5eaaf133ef0ade3f596
-
Filesize
87KB
MD595f25f00ae83b1277b653b1f339acd9b
SHA1757d082c18f19289f05c26dec5e53de137e9622f
SHA2569e53a43b0c6239446229a265b2bacd2886022e3ec8841d7b224194ea93cccb70
SHA512f09dd23561970c394b730b40c6418a09779dfdccb2dbd96c06f7ddf28d41da175a9e55ebc79e3e26772fbec29392b916882a76542e603b2a9a931d196790c9f0
-
Filesize
85KB
MD55c13a5ea8c8cc3474240981d0ffa88ff
SHA11d8d3ce27d9dc3d9fb4fa4b06c20137d25879d80
SHA2564f9bb3901879bafae3a17c6c4009ee5c15384a06fc234bed78937969079c77da
SHA51232ea79ff5194d8a18e75f277aed5610b4955db15b0abbcc2664cf07f372bebfc57eb665ad078dc3da3ce5ee0d8856140c2a1bc7032b578dd103d43998d682d88
-
Filesize
298B
MD5b89988ba8ee484389bd26e6831203f79
SHA14bbac5af54a3d6f2b400171ce9260ac927cedfa5
SHA25660234e75c41716def3922d7a20ffde4ec76d833a5f1512dbe45384f571859d9c
SHA5127324acc9075eb66768f3db5d59b4151f293e45b7b9447828fbd0185589f89d9fc419e5c9306d35d1ae6118ab6cf3729c454be9f80f06ca71b99a2f8ac8f93ce5
-
Filesize
152B
MD51e3dc6a82a2cb341f7c9feeaf53f466f
SHA1915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA5120a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a
-
Filesize
152B
MD536bb45cb1262fcfcab1e3e7960784eaa
SHA1ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA2567c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA51202c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize408B
MD5d652e41c5d676c921688fa59a81fe8e5
SHA1aa35da4e135023b6d2f918867e00f55a2230449e
SHA256b2fb6636a33974fef0902d8d960d750bfcac002a3372518367b96c5be596684d
SHA5122f5119a6d24e5bf31fa059c72d554e17cce41d56948b395b259107d5d3d670acbfc41b5b22de007feb2ff232e6819657eccf76741d601aaa9f9f1f6b545114e9
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1002B
MD564def8baf10d553b773278ae9a2b666f
SHA15b96ed79ed129251529d967c2cbd6b2d74aad2b9
SHA256656befaabf16da9a446896590719fda5cde270bd609496c8c9f0507b23bbb591
SHA512691fb3ff245dd8109a9bef067a85e8d0763d6fa0cd303a2a646531349556e6e13c8c814d2eb5d0dc788ded7e21eb026b5995ab9cd48d1357df4cf37d81dd41bc
-
Filesize
6KB
MD5cbd063897b4600e48e0f07f7cfdd80f6
SHA1d2a558cd358a077c238e72c45853f8c12386f8b6
SHA2567e85d5781ce873fd361e78dfaf4305ce3974dc3398000a2ece44a17f4897eb51
SHA512ffc613c0f445a71152e5b66b4cf9c2cad9860da1491f27fba1d6908bbb86e1a3baf753a082ba649a67eed2f09619dd72f4e3674c424dd07643ec1f48fc716ffe
-
Filesize
6KB
MD539ef3c097f6be1d250abd3aca8e11ce0
SHA14e9f4fb550869f2aa021920ea4822ea1f283185d
SHA256aaf97207d5557b2964f7aaf83606a2b84cbfbc681e26a9952767116ff1a89410
SHA512c85fb60cf5d517812801b3448131681198b4dc9767c90b03453c1888d6a23a04e06baa6265cc0490d13e258a75b70ce9924eabd59acbf439e4fb19dd373e1cf7
-
Filesize
6KB
MD56b6c8b10c807a58931d8b7ff52835636
SHA158d9090b9da6a80c557c7789816fcb5f6852e107
SHA2564262744c75b1056d8f14fa8f63aeeda2bc2e296fffc0561e2f7bb437ad3d71ec
SHA512aafc477c8b314a88ac8de575eb5149ee35fcc4d822a2f1b67fde7a8c55bc2370ee4608c4d2859ab066701bfcff58d7feb5a1f86deb1984651d394dd3e0fdb21e
-
Filesize
6KB
MD526d381203505ea512e8e485f4f739d43
SHA1022a159c6ab063b4ed749c656ce4d4c985d4176c
SHA256b3eef331ddbe2e29c89e095cde837965488d8196e51a2afb1f7daff6902fcab1
SHA5124c98ce90c93bdaf69556183b8d9f31011dd28d66a5fc7b1543a88ce0ab8fdbe24acc1b34b1bbd488848da32ee22ff1bf09cf31b26d184733ccef2417dfe8259f
-
Filesize
6KB
MD54054716daa369331752f056cebfa98c0
SHA1fcf1762528644bce3d29f4332d2b38d2f6f3bb94
SHA2561ba8cda68b87e4e02b349cd1421edea743c58b77cc793f4300240318ccfe0ebb
SHA512ee20708e16c8d27b957fd093f7c188d7c3ee5cfca294b6f6b3f853e37c63317a36451086858adc21f61de40f3f36873572fd370d6aa1b2e9f52dbe26ec72a29c
-
Filesize
539B
MD56e3494c3e77aaa324e5f8d1da258863d
SHA17066809650531cbd6f3bdd6e1a18028db26bdf31
SHA256103bfaaa9dc834c23f6d5de349523ac8262858a5979a71b96be6b240f118981a
SHA51238956b866cbbac153b30ee4bda5df0f44fa2df5124f808b8f319ca198f48cfb386be1fa053b4603bb2965f8c1684e5f004f5d9c6e2d0cfeeec729c380c0513a0
-
Filesize
707B
MD53670cf3245d8677c0582127543935480
SHA117d812cd8990bb40d8b6853b192e55d394be8997
SHA25630991d9b98830df65aeda166e610207d67baad44e8b2af65bc2e0e2ecd55ae79
SHA5127257f1ccc6866d799f2bfa2f20e54e40c1e655143480c0fac15a800199d81b1521fae2c62c8fac4bebc414bc28e6c0a74658fd30cd96c2ea5d2380cb655ac709
-
Filesize
539B
MD5d093046c6f62903c25b1dbdf5e3316fe
SHA1ce607cbdb65a26ff34c19f9d07afa6df344c656f
SHA25604b55aea2d4d2847e7ad1e25def80c9d9e2ac58affb3d4b668e2a689da16fa5b
SHA512cbc3415f01d7cf3f59fd2e856d80bba5c962cc3dbb3ad229a64ca5bb407785e2b818ca5d5d4112fbaa71a40eec5521ddcaf25cea0512c5a825db4072a3b2906c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD53e611d75356b783c17e0f4b0e2d32e90
SHA1575c244c4e663cf280511938decbd9fc3a1c7bcd
SHA25662fe8e1bef20a2e667177580d49651ede7524fc0401c24cf21a6d05f2b6acb71
SHA512865d0442a2e229abb0820a0ae66454e02aac2d15ba8c5a2f01285d048689cbe1297d31f064f2f01eef9e22eeac5e191f65a4bc6c3d4a6eb732fc46cd8444d53c
-
Filesize
11KB
MD545a777d71aad2fad5f37600835bcd7f5
SHA160950e51582dba7307dc53ad2d05badc02a054de
SHA25627f1feb4b867fb26800722587627c4121353883ca82f8b466aeb6f3b582a1fc5
SHA512699b6b3b047edf8ff4cd61da784e4a7ba82d3d89e9329b7b36674efdd9529668b4ac79864896afc0797f2b68f121d740b1c16347831ee156f1edf45ac32a1a20
-
Filesize
12KB
MD545b08534c45d636b425022f38f07dcbc
SHA14db88b346f590b8a1a99804bbae968da1d520d6a
SHA256f4fd4e1b414e455503fa6df3d1f32185ced2fa3fdd9cd4848b8f5a7ce71efb6d
SHA51283744b19baa81006976a696989b513f2b0343a5acb36495a74a70ee33efe3d0dba1ac1619e1712256814c9082bc45c3d7fd1b44438f4f87531eae8cacc767e03
-
Filesize
588KB
MD5b7a6a99cbe6e762c0a61a8621ad41706
SHA192f45dd3ed3aaeaac8b488a84e160292ff86281e
SHA25639fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d
SHA512a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642
-
Filesize
1.1MB
MD58e3862ecc7a591df93cb916906eae863
SHA11c9f1f80be421f8c87662b5ab11749dd7604fcf2
SHA256b980c67b11cc39f006535303151273749e4ca69dd370cf45b6110a0b5af77b68
SHA5125d58c26f1f4ed448578e118c526a67159284e68b58062a0ff74492a38785fc94608ca09aadb5473f66dd0161fccdbad3ea4a2ed5c65396bef5e3d6572ac607ce
-
Filesize
736KB
MD58dd026145833182777a182a646df81f3
SHA14f5cb840193eea97df088c83a794fb6e8f67ab07
SHA2563071af6be43a2611db45205f0d3f1f25aba05acf5f70992fce2fffd63ee9c85d
SHA512f6c860bf563a24c046a7d76a6bc1e2f6bbfc80a87ac4513de331049f35198dcbbdbb5be7f5d49100e1d1c8ab680ecf3eaaa4fdb8f744c9fd5479a1ba64079391
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
55.4MB
MD5fd66da4bbc7838f2d548c80adfdf0387
SHA144026603adf5260c07fd5cde058c61f8a0481e44
SHA2565c442f22f399408ec56c94204ab55c2fa6be2966c545feae6f2589b3100a3406
SHA512c8cc217acdc36c951fe6abea638fc1f8967e3f4d1eb37e2a44eeb2056f15af7186b875942f34ea8b2785f0877b60ae275c02297988e069a6b5e89882debb1bbe
-
Filesize
386KB
MD502d56b1cae5306a431eb15a70f914ba6
SHA1d49973a5c9360a732c24ad697ed86bd4c6e52b37
SHA2562b6a4a4ec3796997949895e59d0e995757a0ea0771668ca3c4e8b27e32c62a2a
SHA512e0b4ab519d5186a768b178a904df424487435bffa88350ce4167cd3e9af7c5b730a9d246be5794cead6d795d33149487ba75650630a6b64432e7f4c368ce405f
-
Filesize
340B
MD55a0f5e84aa6496f313a7725b417dfdfa
SHA12534750c899ffbfcbda7a4f1f52f3243a72dcb32
SHA256a88e687d53d87e21f1526e5d37f8387bc1c114c2405698b2bcdbdc63e3099547
SHA51258945393bb07a3887537ddcae2933a68b84e3956debab7c26575ea686dd8e4fbe345f323d36ebf92e01f3f3fb6696eb2e18987f91b320a0584ad5ee9e849470e
-
Filesize
244KB
MD5c0777f5c9995b8c0b08ed33cee7e1008
SHA112f08bb8febedb3f16b22bf94bc47c5c3910a477
SHA256cf531f10cb410f4825bab4fd4b15df8e02cb9a18505a3a3b05c4c2f4ccaf90d3
SHA512a3478bc42730169abcb7635f1f73bc8b1a639fe2094c7e3866d8321b6efdf0740f8867dccdd5fb1b12f73b8e89a51758280ab9c3d184d36a7b86f3f91ac9dc0a
-
Filesize
41.3MB
MD53557dec4b3425f3a4337842267e97413
SHA12570810596dbf2f4930164ab7ebf1309c5f57230
SHA2560899b99992e6f8143ad1c51ed422ca64ae309e5663fc3e3d38504c2e45576a93
SHA512e2c8e4b97f8a8b98725e2d09dd1ac81948a822c4c8aba4b974e79b22bd6b4662cf87f374131f089f44fed7e2ca541205397b879c496d466f7879caf5466d8fac
-
Filesize
26.1MB
MD5e15fbf7a8a963e9488da1bce2aab2008
SHA13b3be9012b79e291d9afdbcfb329e7a5edb514fd
SHA25643a85b212dc8bd07fa24e8234e566c0b5b3e3be74447d2f3c91863d8d7d50e8c
SHA512a169c9329ef01ac3f6ead9949810c67f4a23aefe6c366805336566f9209cb890ccf78e5b55563e44ad6125d28787c505c1e2fc91e7c9dcfafb20fb9c96261ad0
-
Filesize
856KB
MD511a825cc2f5527b9dca7467b5650d01f
SHA1b2d7978a1c1c3d769926b794036d2ae5fc173fac
SHA256af62031d31f0c5d1ced8ed3437d292bcdae409fe9c1092a6f057dd0618fbeaf8
SHA5126c86827a72e1188cd0fa6eadbd1829d8b8373b1b7182696ed8586d79d3bb94f8c4dadb4239401eccba20f1ec49f8c786e914354f00300a5ab9fdab461edb6591
-
Filesize
28.8MB
MD55783d0b143091b222292bb0dc983f04a
SHA16f35c3202a162d14ec62fca94613553ec120ca8e
SHA25649a7758ffd434befeace7137d907afab0ad891e54a320641b5e2c09e7af0f91a
SHA51256bf629eead8facdf6c21f5b4c667daeaf8ab569ead4b3482d68748588b8fc71760c1169be04c85da8dc44bf5ae5f92efcd81e8578f24bea048a654c64527765
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe
Filesize634KB
MD59a4a515072b4b95c4172c7f42c355881
SHA16d9c7baff5012192665ee05a28b5236f7965ec91
SHA2565fff377298dc84781cd9ccf6ca7b30c1b917774ddc9bd16b6fb5e51525b0a9f0
SHA512f34b84d38e11a1dc6a67b48f2350800451797a502c9100d20bf88f332477d8926abd03d570400a2201acf518b4c414ea7079c39465da6b19696254c5d06dbabc
-
Filesize
23.7MB
MD50ffd752c14afcbd5fec7393a237237cf
SHA1ac282c63c030d21f6da7742071bf03a8563bad8c
SHA256b296ccfe94834abc3d5c58ac65b61c56982926a9d4cd751fcf440903a2d7a439
SHA5120116ff322294ae67afcae90cc7164615ed4c61956f7105cddc6b9455317755007e5f8b60f23def4641ba41554b91bbd9595f69b73caca80aea95062b8de85e8f
-
\??\Volume{0e54dc8f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e7079623-f1b9-4853-9168-9a8176e24fc0}_OnDiskSnapshotProp
Filesize6KB
MD5c31bcb655947e9706feec01cc95014ce
SHA1c8a1c0d4017c6a777baf089b6f00fddd200f70f5
SHA256626d140e287b1d1d2548c681bce300707c3213da75e8ffc564fc43f40fe5eaa8
SHA512ac8b902e7bdd428d000140bba0f64f31cc759e95eaa95242c17312ca339d706483b2a5b33e0f7bc14507b2f0e2940d39ff358d950e9d1f2f1fbb2a1435b2a054