482212ad374ebd572a44bb22e5e16a19843a281f0579e000c618f150bf1d20e8

Analysis

max time kernel
328s
max time network
341s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07/09/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cosmic Binder.exe
Size

6.6MB
MD5

0ad7298482f7528e1eb360b7110f05bd
SHA1

a2a40d27d7f01d55878c5ee0450aebaf656ce3d0
SHA256

482212ad374ebd572a44bb22e5e16a19843a281f0579e000c618f150bf1d20e8
SHA512

2995396bc27d50e92ef44a23a32cb954022b328f4c5137f7f1cc54ad141f6fd3a99e7fbbd82a38876cb14bb9bd17962bb79d8346ba49177dd36b4233bdc4e215
SSDEEP

196608:fKAxRJ675rL0y13he2qDbTbu/QjU5n2YPozziRR4pEXfTEok+lx8OH2qsmvy74Pg:L70h33he3Db81ozziRR4pEXfTEok+lxy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3856	csc.exe
4936	csc.exe
4636	csc.exe
2952	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cosmic Binder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Cosmic Binder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 14002e80922b16d365937a46956b92703aca08af0000	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000002593680100041646d696e003c0009000400efbe0259417a2759a9822e0000005d57020000000100000000000000000000000000000088249900410064006d0069006e00000014000000	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "4"	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000259417a12004170704461746100400009000400efbe0259417a2759a9822e000000685702000000010000000000000000000000000000007ed51e004100700070004400610074006100000016000000	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000c0b0332aefe4da0131ee4780f4e4da0131ee4780f4e4da0114000000	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Cosmic Binder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Cosmic Binder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Cosmic Binder.exe
Key created	\Registry\User\S-1-5-21-970747758-134341002-3585657277-1000_Classes\NotificationData	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Cosmic Binder.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Cosmic Binder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Cosmic Binder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Cosmic Binder.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3292	Cosmic Binder.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3292	Cosmic Binder.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
3292	Cosmic Binder.exe
1020	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 4048	3292	Cosmic Binder.exe	92
PID 3292 wrote to memory of 4048	3292	Cosmic Binder.exe	92
PID 3292 wrote to memory of 4048	3292	Cosmic Binder.exe	92
PID 4048 wrote to memory of 3856	4048	cmd.exe	94
PID 4048 wrote to memory of 3856	4048	cmd.exe	94
PID 3292 wrote to memory of 3568	3292	Cosmic Binder.exe	95
PID 3292 wrote to memory of 3568	3292	Cosmic Binder.exe	95
PID 3292 wrote to memory of 3568	3292	Cosmic Binder.exe	95
PID 3568 wrote to memory of 4936	3568	cmd.exe	97
PID 3568 wrote to memory of 4936	3568	cmd.exe	97
PID 3292 wrote to memory of 964	3292	Cosmic Binder.exe	101
PID 3292 wrote to memory of 964	3292	Cosmic Binder.exe	101
PID 3292 wrote to memory of 964	3292	Cosmic Binder.exe	101
PID 964 wrote to memory of 4636	964	cmd.exe	103
PID 964 wrote to memory of 4636	964	cmd.exe	103
PID 3292 wrote to memory of 2468	3292	Cosmic Binder.exe	104
PID 3292 wrote to memory of 2468	3292	Cosmic Binder.exe	104
PID 3292 wrote to memory of 2468	3292	Cosmic Binder.exe	104
PID 2468 wrote to memory of 2952	2468	cmd.exe	106
PID 2468 wrote to memory of 2952	2468	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\Cosmic Binder.exe
"C:\Users\Admin\AppData\Local\Temp\Cosmic Binder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe
    csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
    3⤵
    - Executes dropped EXE
    PID:3856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe
    csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
    3⤵
    - Executes dropped EXE
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe
    csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
    3⤵
    - Executes dropped EXE
    PID:4636
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe
    csc.exe /target:winexe /out:"C:\Users\Admin\AppData\Local\Temp\Testing.exe" /platform:anycpu /win32icon:"C:\Users\Admin\Downloads\DebugOpen.ico" /noconfig /res:"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe",CosmicBinder.Resources.File1.exe /res:"C:\Users\Admin\Desktop\SplitDeny.jpg",CosmicBinder.Resources.File2.jpg /r:Microsoft.VisualBasic.dll,System.Windows.Forms.dll,System.Linq.dll,System.dll,System.Core.dll,Microsoft.CSharp.dll,mscorlib.dll Program.cs
    3⤵
    - Executes dropped EXE
    PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2292

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:1804

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4464

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Frameworkv3\Microsoft.CSharp.dll

Filesize
47KB

MD5
89bc6b76061a8727c094612cadf2e1a7

SHA1
bdc2863619cf3cbc9b1ceba00e247af4ad5fbacc

SHA256
b1a71f9a5315bb3834d97fb479be6a095cdd74a1b20e132ded78f6e8013d0a89

SHA512
bd572fca635216c44bb35fba7a9dd83547a7246a873d7a63547a56d7cb599fac61142cb5b6e11a5e604457beca2ed63ae5be20475521cec34b8c4669be04f54b

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\Microsoft.CodeAnalysis.CSharp.dll

Filesize
6.3MB

MD5
5588bb1d28e085a18ad2d404628598e9

SHA1
4d8022c3cba88b5bb1a4f63eaa19e7dae549dd79

SHA256
3ec3495cd2ce822bdfc6b9c97d24f87a2b7d5393b29b828da8d96fe756cdca15

SHA512
ad333d42047f995727ffb90c9300e363208a98e9e9217aa89ea63cd7d3479c94e098af3ed29e9e5aa09b3df12a656307f08e23561bfd9973ba61591ccec92038

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\Microsoft.CodeAnalysis.dll

Filesize
4.4MB

MD5
535abe50557a55e144667dd5149fd0b9

SHA1
e00ac98232cf85e628b5044767316aff75e3f8c2

SHA256
528e969f2e696733b1e05cbb0a8f27c3cf7853ca737ff64c7ab13ceac1fdae83

SHA512
209a88dc3fe3a559d42b969e1b4e8e495d2e0029f081ee6c46880bc771dcb1c3edb5544b6e61d675b7bcc6b9090b9316ed3d624df78a003061f0fe59abc763c8

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\Microsoft.VisualBasic.dll

Filesize
137KB

MD5
5bebc401f866d7d4ba0d48dab43ff4a5

SHA1
4b74dbea90aa0776aa9c88801aa83144975c691e

SHA256
286d469a1e3e48eef69a2a0e7e1ca6d8101d9fc87302831e23a8085c3857bb04

SHA512
cd225b3c171ac4b24368e3b276c2e798a9bf184d3630278e660cb9569cc73a07a7f98cb706771591b1066bedea6e4d7c2b9fd661416d267e9f6c95c0e7dca8a5

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\Program.cs

Filesize
10KB

MD5
7fd35b3693d8d85871e806a19515023c

SHA1
64dcd0c01f9b3b4d1f98634273ceb842d107dd8c

SHA256
c4327ce10cf6b2b1366890ecb988d8dfe8a0bd597d8566426278339c74d8730a

SHA512
d735e7c4add829db8c157a87db1647ec34357d198b39b0215e7f3badfade5fe60f2b055351e8e62b8b20ecd81ac445e7b184d99c007911c70f1b2e03b45e7e2b

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Collections.Immutable.dll

Filesize
189KB

MD5
d96470eec1462cdc385bfcd024a5d91b

SHA1
9adeafc9c76e29c275f2070cde10e6f7597cace0

SHA256
69e57ac412200e47fe7b5f933a30c594e1fc1517498c88920aabc702f5ea00a7

SHA512
99737518ea853669e06691bce59fd6bd12668a07949ac8c77a2b062c3dc4077c3ff47c3a621b117e0fa7d0426aef5e5b663f1db7991381f9b1ad178946e39eec

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Core.dll

Filesize
229KB

MD5
73ce65904aaa5243bc10d5db94ad85d9

SHA1
7811617cd99d8ad5cb693c78527c4ff85682b7d1

SHA256
945ed694b31770c40e3471884714ffde19bf4031e6d9c95645c267422034ed67

SHA512
1bc7bcfe4e317816f5cec6bc37003af4823f67ae44e98d4aa3d773b6c7827ddca13746b0a6c739565045e255196a48f3d98ba0283f6d6b95ff6b7f05938c1668

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Linq.dll

Filesize
21KB

MD5
c80e6fd71843c5d293fbf61aabc202bf

SHA1
5bb086feaec6619f80ec9e53b3dc509850cdb6f5

SHA256
0bb25f3082f5ee96db78063e7d21aa67e529aab27d46006e41ca64d8873613ae

SHA512
f7b418fbdb30414b0de1c7a5c3a77d92640330ed8951d13632eeefa965bc9dc2151020881024a64b97d582d9a5a393b5eda6190f9782b31f7e09c58519c4f867

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Memory.dll

Filesize
137KB

MD5
6fb95a357a3f7e88ade5c1629e2801f8

SHA1
19bf79600b716523b5317b9a7b68760ae5d55741

SHA256
8e76318e8b06692abf7dab1169d27d15557f7f0a34d36af6463eff0fe21213c7

SHA512
293d8c709bc68d2c980a0df423741ce06d05ff757077e63986d34cb6459f9623a024d12ef35a280f50d3d516d98abe193213b9ca71bfde2a9fe8753b1a6de2f0

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Numerics.Vectors.dll

Filesize
113KB

MD5
aaa2cbf14e06e9d3586d8a4ed455db33

SHA1
3d216458740ad5cb05bc5f7c3491cde44a1e5df0

SHA256
1d3ef8698281e7cf7371d1554afef5872b39f96c26da772210a33da041ba1183

SHA512
0b14a039ca67982794a2bb69974ef04a7fbee3686d7364f8f4db70ea6259d29640cbb83d5b544d92fa1d3676c7619cd580ff45671a2bb4753ed8b383597c6da8

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Reflection.Metadata.dll

Filesize
451KB

MD5
c4ea65bd802f1ccd3ea2ad1841fd85c2

SHA1
2364d6dd5dd3b566e06e6b1dc960533d2b3017b7

SHA256
46451e1168dd11d450aa9b6119f17cec9a70928a40ac3c752abf61ce809cba6f

SHA512
fc4c18ea6a6f38d8c4b4f2e02d3d077cc729b531ca08cf9602c65e22aadc0be770e441660cc980cbfed3b27bd783e65f793838532673e2845276390b4b22d730

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Runtime.CompilerServices.Unsafe.dll

Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Text.Encoding.CodePages.dll

Filesize
744KB

MD5
4c12c76415a3d8af9c3cbcf0a3cb52dd

SHA1
b6a5ebf42211fdabcf377ec2018b6b9a14a99761

SHA256
87f7f43626cac445a9cbacda4068c51c0b17b6af6e6b752ff613668c21e49412

SHA512
e01ea56118437f54068375b3472ea611e865888f932ec5a21d2c8049d7e398713152fd69b674723fed87ee23ba7939895b3d5b5bee690b13c00428f884b9f116

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.Windows.Forms.dll

Filesize
1.4MB

MD5
869972844b903ea5b632df1aea367fd3

SHA1
c726f113374dee7afdab0ee76b0ee20c01b46b88

SHA256
0811e1e938d66a35c1f03c3e8a08ab53b822d18f67ed0ae64a868294a23872c2

SHA512
81e04a3e127084d565a5c3df21db4899479c2d5860d594b16195a93889460fce2c412c763d232c901d88fdf503e8e044d25fa4f23e4b1420cf9c06a9e6f3899e

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\System.dll

Filesize
1.4MB

MD5
3ec3060a5c3f8b31a5a330941a2a6e8c

SHA1
8cc424c2552fb77fb26e31c69fc29f9c4b91a442

SHA256
8186c61afa8e04ca6d1ac79d4f5407779b76c42728603e85f2aef9d1d6d49d91

SHA512
865e7581fe70b4bfba75655029dc223ac1c0e21a55b4a1861495e2ed2e4bee4aa00525d37c5af70fa661f6406486d0956330fcafadb01b97891073cb70f3e8e0

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe

Filesize
58KB

MD5
ce02a95034e40f164cedd6f099d07425

SHA1
77b750f4bd494111949f8c6a21015fd4639f04db

SHA256
3525196b868a6604de3c6ee7de44d44b6c5dde8f3a27cd8e409084bf628358b5

SHA512
7153635fc7e1e30f67b46ca8e66499a87dcb63fe3d73a8b4624b2fd648913359061d61d2481310f7e4bf2dbddd63ce6a1fc9b693baf3e771898bb883a2e835b1

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\csc.exe.config

Filesize
4KB

MD5
efe5a22122f012f37c2b66b4b5c606d1

SHA1
b5418dd53b7b85686554532aa5cae79e98cf909c

SHA256
1ac8e21d7d9f184691cde0998afb95676b5eb324c33813ab15f46332b2530a4f

SHA512
b10a4d6fba4f88dae851602d5aac5dd549525f9cc593def4640c912eee15644af45f2034b83e8509524012132f8e73e80f36170728884928e60c03e85cff3349

Download Submit
C:\Users\Admin\AppData\Local\Frameworkv3\mscorlib.dll

Filesize
2.4MB

MD5
040a15db912985dd0d70abde6a11cde7

SHA1
b57ba3e3ef0c1941912c6f9a74f3a1970911c81e

SHA256
1c627a1181fde179d9796ce2475dab52841ca8148224e92d60271da46cff0ccb

SHA512
01073e170913c16f06b3098aa8e06d7ba678c907d3cbd9fceee7fde9e53c5a25367271eca3c4347fa8d6c0d4313110885bb9c34f08d19ae040a6670dd22bcd3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csc.exe.log

Filesize
902B

MD5
3cccd7ec7ce4bec48e9d44837c72369c

SHA1
58bed2fc18b511696ff97b41dae9323d36b07bea

SHA256
3158e10bb178e677f4b47fe0bc7d349cc49011905bab02f5b3b9e58574e6bba3

SHA512
6288a844621e95c9672a1349574fc186614ec5daa25059fde1a42323ea2812a026ea82d00cd022fa3fb51489db62d37a8cf6801e648b2e3fe957603e9444ee68

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
cd6829f53a60318a54648f4ff9d694c2

SHA1
eda672c23f219a9cdbe740079412f5fbe04a157d

SHA256
5410184dfd5ef071de14c78cc7e9488049a85e313a3454250d53e974251ac906

SHA512
25a54ac013419868211b704a9b1f4cbc7c0a5b1a0e10cec09cd8eee3fbde7497e36c8e35f0506622eb9a47939c2c6b9590bf9bbf8d43508be13d7f85f7838ec9

Download Submit
memory/3292-14-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-2-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-40-0x000000000C670000-0x000000000C682000-memory.dmp

Filesize
72KB

Download
memory/3292-28-0x0000000040000000-0x000000004033B000-memory.dmp

Filesize
3.2MB

Download
memory/3292-18-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-208-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-17-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-16-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-1-0x00000000000B0000-0x0000000000750000-memory.dmp

Filesize
6.6MB

Download
memory/3292-15-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-39-0x0000000007770000-0x000000000777A000-memory.dmp

Filesize
40KB

Download
memory/3292-10-0x0000000009900000-0x0000000009910000-memory.dmp

Filesize
64KB

Download
memory/3292-3-0x0000000005830000-0x0000000005DD6000-memory.dmp

Filesize
5.6MB

Download
memory/3292-0-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/3292-4-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/3292-13-0x00000000748FE000-0x00000000748FF000-memory.dmp

Filesize
4KB

Download
memory/3292-5-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/3292-12-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-11-0x0000000004BF0000-0x0000000004C94000-memory.dmp

Filesize
656KB

Download
memory/3292-6-0x00000000054B0000-0x0000000005570000-memory.dmp

Filesize
768KB

Download
memory/3292-7-0x00000000748F0000-0x00000000750A1000-memory.dmp

Filesize
7.7MB

Download
memory/3292-8-0x00000000083F0000-0x0000000008E4A000-memory.dmp

Filesize
10.4MB

Download
memory/3292-9-0x00000000098F0000-0x00000000098FA000-memory.dmp

Filesize
40KB

Download
memory/3856-138-0x000001EE0FCB0000-0x000001EE0FCCA000-memory.dmp

Filesize
104KB

Download
memory/3856-153-0x000001EF30AB0000-0x000001EF30ACE000-memory.dmp

Filesize
120KB

Download
memory/3856-150-0x000001EF309B0000-0x000001EF309B8000-memory.dmp

Filesize
32KB

Download
memory/3856-144-0x000001EF30A10000-0x000001EF30A36000-memory.dmp

Filesize
152KB

Download
memory/3856-149-0x000001EF30D00000-0x000001EF30D08000-memory.dmp

Filesize
32KB

Download
memory/3856-148-0x000001EF30BB0000-0x000001EF30C26000-memory.dmp

Filesize
472KB

Download
memory/3856-146-0x000001EE0FCA0000-0x000001EE0FCA8000-memory.dmp

Filesize
32KB

Download
memory/3856-142-0x000001EF30AD0000-0x000001EF30B8E000-memory.dmp

Filesize
760KB

Download
memory/3856-137-0x000001EF318C0000-0x000001EF31F08000-memory.dmp

Filesize
6.3MB

Download
memory/3856-140-0x000001EF309D0000-0x000001EF30A02000-memory.dmp

Filesize
200KB

Download
memory/3856-161-0x000001EF30C60000-0x000001EF30C82000-memory.dmp

Filesize
136KB

Download
memory/3856-162-0x000001EF30AA0000-0x000001EF30AA8000-memory.dmp

Filesize
32KB

Download
memory/3856-135-0x000001EF30E00000-0x000001EF31270000-memory.dmp

Filesize
4.4MB

Download
memory/3856-133-0x000001EE0DF20000-0x000001EE0DF32000-memory.dmp

Filesize
72KB

Download