Malware Analysis Report

2025-08-05 20:57

Sample ID 240404-v148kaeb65
Target Cosmos_InstallerLast.msi
SHA256 0899b99992e6f8143ad1c51ed422ca64ae309e5663fc3e3d38504c2e45576a93
Tags
discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

0899b99992e6f8143ad1c51ed422ca64ae309e5663fc3e3d38504c2e45576a93

Threat Level: Shows suspicious behavior

The file Cosmos_InstallerLast.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Enumerates connected drives

Downloads MZ/PE file

Adds Run key to start application

Checks computer location settings

Drops file in System32 directory

Drops file in Program Files directory

Executes dropped EXE

Checks installed software on the system

Drops file in Windows directory

Loads dropped DLL

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

NTFS ADS

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-04 17:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-04 17:28

Reported

2024-04-04 17:44

Platform

win10v2004-20240226-en

Max time kernel

507s

Max time network

506s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cosmos_InstallerLast.msi

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} = "\"C:\\ProgramData\\Package Cache\\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\\windowsdesktop-runtime-7.0.17-win-x64.exe\" /burn.runonce" C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.17 (x64).swidtag C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Text.Encoding.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.Immutable.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.IO.Pipes.AccessControl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.Handles.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Cryptography.Cng.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.ValueTuple.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Diagnostics.TextWriterTraceListener.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\tr\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Web.HttpUtility.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\PresentationFramework.Luna.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Private.CoreLib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ko\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.ComponentModel.Annotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ko\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.WebProxy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\mscorrc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\PenImc_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.Serialization.Xml.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.Concurrent.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\host\fxr\7.0.17\hostfxr.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\System.Windows.Forms.Primitives.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\zh-Hans\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\fr\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.Sockets.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Threading.Timer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Transactions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\ThirdPartyNotices.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Runtime.CompilerServices.Unsafe.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Principal.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Security.Cryptography.Encoding.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Windows.Forms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Windows.Input.Manipulations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\es\System.Windows.Forms.Design.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Numerics.Vectors.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\cs\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pt-BR\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\it\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Windows.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Globalization.Calendars.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\cs\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\System.Drawing.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Collections.NonGeneric.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Console.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\pl\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ru\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.IO.Compression.Brotli.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.17\System.Net.WebHeaderCollection.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\ja\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.17\de\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\SourceHash{A638EFAE-5229-46A8-9A18-D0FF9D9827D2} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI78DC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7A73.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360\fileCoreHostExe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI82A4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI962E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4BAD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{462818AD-0C27-419A-9271-68FF4B52279A}\Cosmos_V1_PSD.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{462818AD-0C27-419A-9271-68FF4B52279A}\Cosmos_V1_PSD.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI664B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a1e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e598a1e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8003.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a29.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI937C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID6D3.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e598a19.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI50AF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a1d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{089B0F2C-87D9-4470-B6E6-154DD6961C56} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9797.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a18.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI760C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a22.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a28.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{93812F65-BAA9-42E0-AF19-F15F39A92E3C} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a16.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI94F4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6D41.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7DDF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\$PatchCache$\Managed\C2F0B9809D7807446B6E51D46D69C165\56.68.10360\fileCoreHostExe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI95A1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a19.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a23.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e598a29.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8B8E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{462818AD-0C27-419A-9271-68FF4B52279A} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{6B4D3428-4800-446B-971F-62A7377F06F6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e598a23.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e598a2d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA60D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e598a16.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
N/A N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008fdc540eeb98985f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008fdc540e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008fdc540e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8fdc540e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008fdc540e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\Colors C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\56F218399AAB0E24FA911FF5939AE2C3\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64\ = "{A638EFAE-5229-46A8-9A18-D0FF9D9827D2}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Version = "943990904" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\PackageCode = "50281206D11C96543A9F78E2A26DBD6C" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D7BDF8162D15FAB6F8D7D17A868D0E24\8243D4B60084B64479F1267A73F7606F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\ProductName = "Cosmos" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.68.10379_x64\Version = "56.68.10379" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\Version = "7.0.17.33416" C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\SourceList\PackageName = "dotnet-hostfxr-7.0.17-win-x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5993C192D5D5A16615C73BE6C2403B07 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DA81826472C0A914291786FFB42572A9\C63A5E8718343189D035A252D1450C5 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{24a68a65-6ac6-4276-9d7d-2c3939d8474e}\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64 C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8243D4B60084B64479F1267A73F7606F\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.68.10379_x64\Dependents\{24a68a65-6ac6-4276-9d7d-2c3939d8474e} C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8243D4B60084B64479F1267A73F7606F\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\Version = "83951618" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\PackageName = "Cosmos_InstallerLast.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64\Dependents C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{089B0F2C-87D9-4470-B6E6-154DD6961C56}v56.68.10360\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64 C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.68.10360_x64\Version = "56.68.10360" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\56F218399AAB0E24FA911FF5939AE2C3\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\Version = "943990923" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5993C192D5D5A16615C73BE6C2403B07\56F218399AAB0E24FA911FF5939AE2C3 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EAFE836A92258A64A9810DFFD989722D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0CDC6D012275297408FC47E8F4FA7EDB\EAFE836A92258A64A9810DFFD989722D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8243D4B60084B64479F1267A73F7606F\ProductName = "Microsoft .NET Host FX Resolver - 7.0.17 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\SourceList\PackageName = "dotnet-runtime-7.0.17-win-x64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_56.68.10360_x64 C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C2F0B9809D7807446B6E51D46D69C165\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\ProductName = "Microsoft Windows Desktop Runtime - 7.0.17 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\PackageName = "windowsdesktop-runtime-7.0.17-win-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\56F218399AAB0E24FA911FF5939AE2C3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{93812F65-BAA9-42E0-AF19-F15F39A92E3C}v56.68.10379\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DA81826472C0A914291786FFB42572A9 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA81826472C0A914291786FFB42572A9\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EAFE836A92258A64A9810DFFD989722D\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C2F0B9809D7807446B6E51D46D69C165\SourceList\PackageName = "dotnet-host-7.0.17-win-x64.msi" C:\Windows\system32\msiexec.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 917679.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\Notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4484 wrote to memory of 232 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4484 wrote to memory of 232 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4484 wrote to memory of 232 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4484 wrote to memory of 5028 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4484 wrote to memory of 5028 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4484 wrote to memory of 4068 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4620 wrote to memory of 4928 N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4620 wrote to memory of 4928 N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2836 N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2836 N/A C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 264 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Cosmos_InstallerLast.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding FAE0E98D217D45BC5C5DC402B480CA97 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\MountConvertFrom.vbs

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding AEFC417AC85B5DE0F67270B3ACD7EA05

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc75b46f8,0x7fffc75b4708,0x7fffc75b4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc75b46f8,0x7fffc75b4708,0x7fffc75b4718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8

C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe

"C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe"

C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe

"C:\Windows\Temp\{9E405C8B-6624-4111-BD33-B6B8C0714610}\.cr\windowsdesktop-runtime-7.0.17-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=688

C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe

"C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe" -q -burn.elevated BurnPipe.{957F01FD-3E27-4C1F-A57F-DCB67D3DEACE} {875014C8-22FE-45C9-B4AB-07F35121AF3C} 4196

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DEC0B834F856A9339A1A6C91A89603A9

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2274EEF7CA2C17997561ADC82FE23CF5

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C17B143B364C721F0F0E4CAC8164E5B0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 702B882CD6DB8C3BDEC66800B91186BA

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,7832560701906680984,18015015348773759657,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3588 /prefetch:2

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe

"PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\dotnet\dotnet.exe

"C:\Program Files\dotnet\dotnet.exe" .\CosmosApp.dll

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

"C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 242.137.73.23.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 139.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 aka.ms udp
GB 92.122.197.160:443 aka.ms tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
GB 92.122.197.160:443 aka.ms tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 dotnet.microsoft.com udp
US 13.107.246.64:443 dotnet.microsoft.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.22.5.218:443 www.microsoft.com tcp
US 8.8.8.8:53 218.5.22.2.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.65.85:443 browser.events.data.microsoft.com tcp
US 20.42.65.85:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 225.110.86.104.in-addr.arpa udp
GB 2.22.5.218:443 www.microsoft.com tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 w.usabilla.com udp
IE 63.32.133.159:443 w.usabilla.com tcp
US 8.8.8.8:53 200.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 159.133.32.63.in-addr.arpa udp
US 8.8.8.8:53 15.39.65.18.in-addr.arpa udp
IE 63.32.133.159:443 w.usabilla.com tcp
US 8.8.8.8:53 d6tizftlrpuof.cloudfront.net udp
NL 18.239.15.219:443 d6tizftlrpuof.cloudfront.net tcp
NL 18.239.15.219:443 d6tizftlrpuof.cloudfront.net tcp
US 8.8.8.8:53 219.15.239.18.in-addr.arpa udp
NL 18.239.15.219:443 d6tizftlrpuof.cloudfront.net tcp
US 8.8.8.8:53 westus2-0.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-0.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI74F1.tmp

MD5 b7a6a99cbe6e762c0a61a8621ad41706
SHA1 92f45dd3ed3aaeaac8b488a84e160292ff86281e
SHA256 39fd8d36f8e5d915ad571ea429db3c3de6e9c160dbea7c3e137c9ba4b7fd301d
SHA512 a17e4512d906599b7f004ebb2f19ee2566ee93c2c18114ac05b0a0115a8c481592788f6b97da008795d5c31fb8d819ac82a5097b1792248319139c3face45642

C:\Users\Admin\AppData\Local\Temp\MSI7F58.tmp

MD5 8e3862ecc7a591df93cb916906eae863
SHA1 1c9f1f80be421f8c87662b5ab11749dd7604fcf2
SHA256 b980c67b11cc39f006535303151273749e4ca69dd370cf45b6110a0b5af77b68
SHA512 5d58c26f1f4ed448578e118c526a67159284e68b58062a0ff74492a38785fc94608ca09aadb5473f66dd0161fccdbad3ea4a2ed5c65396bef5e3d6572ac607ce

C:\Users\Admin\AppData\Local\Temp\MSI8004.tmp

MD5 8dd026145833182777a182a646df81f3
SHA1 4f5cb840193eea97df088c83a794fb6e8f67ab07
SHA256 3071af6be43a2611db45205f0d3f1f25aba05acf5f70992fce2fffd63ee9c85d
SHA512 f6c860bf563a24c046a7d76a6bc1e2f6bbfc80a87ac4513de331049f35198dcbbdbb5be7f5d49100e1d1c8ab680ecf3eaaa4fdb8f744c9fd5479a1ba64079391

\??\Volume{0e54dc8f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e7079623-f1b9-4853-9168-9a8176e24fc0}_OnDiskSnapshotProp

MD5 c31bcb655947e9706feec01cc95014ce
SHA1 c8a1c0d4017c6a777baf089b6f00fddd200f70f5
SHA256 626d140e287b1d1d2548c681bce300707c3213da75e8ffc564fc43f40fe5eaa8
SHA512 ac8b902e7bdd428d000140bba0f64f31cc759e95eaa95242c17312ca339d706483b2a5b33e0f7bc14507b2f0e2940d39ff358d950e9d1f2f1fbb2a1435b2a054

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 0ffd752c14afcbd5fec7393a237237cf
SHA1 ac282c63c030d21f6da7742071bf03a8563bad8c
SHA256 b296ccfe94834abc3d5c58ac65b61c56982926a9d4cd751fcf440903a2d7a439
SHA512 0116ff322294ae67afcae90cc7164615ed4c61956f7105cddc6b9455317755007e5f8b60f23def4641ba41554b91bbd9595f69b73caca80aea95062b8de85e8f

C:\Config.Msi\e598a17.rbs

MD5 0741afabefacd0339e4d21b545d8280e
SHA1 cc7777d43faf3fb6f707bd46cec4b78121279473
SHA256 2a5bfc4d88d4a040b10a7736d95c1eb255ef7454b58da12a1473e659ad691c22
SHA512 ac22991b9b674c7fcd20c78f0cb577689be2becabc0be644ee2635d25d304fe2a4ef34c510249d94762cdb8c3bf7b0084159ec986327ec83349c5ae83d08bdd2

C:\Windows\Installer\e598a16.msi

MD5 3557dec4b3425f3a4337842267e97413
SHA1 2570810596dbf2f4930164ab7ebf1309c5f57230
SHA256 0899b99992e6f8143ad1c51ed422ca64ae309e5663fc3e3d38504c2e45576a93
SHA512 e2c8e4b97f8a8b98725e2d09dd1ac81948a822c4c8aba4b974e79b22bd6b4662cf87f374131f089f44fed7e2ca541205397b879c496d466f7879caf5466d8fac

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.exe

MD5 02d56b1cae5306a431eb15a70f914ba6
SHA1 d49973a5c9360a732c24ad697ed86bd4c6e52b37
SHA256 2b6a4a4ec3796997949895e59d0e995757a0ea0771668ca3c4e8b27e32c62a2a
SHA512 e0b4ab519d5186a768b178a904df424487435bffa88350ce4167cd3e9af7c5b730a9d246be5794cead6d795d33149487ba75650630a6b64432e7f4c368ce405f

C:\Users\Public\Desktop\ProjectCosmos\Cosmos\CosmosApp.runtimeconfig.json

MD5 5a0f5e84aa6496f313a7725b417dfdfa
SHA1 2534750c899ffbfcbda7a4f1f52f3243a72dcb32
SHA256 a88e687d53d87e21f1526e5d37f8387bc1c114c2405698b2bcdbdc63e3099547
SHA512 58945393bb07a3887537ddcae2933a68b84e3956debab7c26575ea686dd8e4fbe345f323d36ebf92e01f3f3fb6696eb2e18987f91b320a0584ad5ee9e849470e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1e3dc6a82a2cb341f7c9feeaf53f466f
SHA1 915decb72e1f86e14114f14ac9bfd9ba198fdfce
SHA256 a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c
SHA512 0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36bb45cb1262fcfcab1e3e7960784eaa
SHA1 ab0e15841b027632c9e1b0a47d3dec42162fc637
SHA256 7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae
SHA512 02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

\??\pipe\LOCAL\crashpad_4928_CHSBKTTTVSZBKKOV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 26d381203505ea512e8e485f4f739d43
SHA1 022a159c6ab063b4ed749c656ce4d4c985d4176c
SHA256 b3eef331ddbe2e29c89e095cde837965488d8196e51a2afb1f7daff6902fcab1
SHA512 4c98ce90c93bdaf69556183b8d9f31011dd28d66a5fc7b1543a88ce0ab8fdbe24acc1b34b1bbd488848da32ee22ff1bf09cf31b26d184733ccef2417dfe8259f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45a777d71aad2fad5f37600835bcd7f5
SHA1 60950e51582dba7307dc53ad2d05badc02a054de
SHA256 27f1feb4b867fb26800722587627c4121353883ca82f8b466aeb6f3b582a1fc5
SHA512 699b6b3b047edf8ff4cd61da784e4a7ba82d3d89e9329b7b36674efdd9529668b4ac79864896afc0797f2b68f121d740b1c16347831ee156f1edf45ac32a1a20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cbd063897b4600e48e0f07f7cfdd80f6
SHA1 d2a558cd358a077c238e72c45853f8c12386f8b6
SHA256 7e85d5781ce873fd361e78dfaf4305ce3974dc3398000a2ece44a17f4897eb51
SHA512 ffc613c0f445a71152e5b66b4cf9c2cad9860da1491f27fba1d6908bbb86e1a3baf753a082ba649a67eed2f09619dd72f4e3674c424dd07643ec1f48fc716ffe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 39ef3c097f6be1d250abd3aca8e11ce0
SHA1 4e9f4fb550869f2aa021920ea4822ea1f283185d
SHA256 aaf97207d5557b2964f7aaf83606a2b84cbfbc681e26a9952767116ff1a89410
SHA512 c85fb60cf5d517812801b3448131681198b4dc9767c90b03453c1888d6a23a04e06baa6265cc0490d13e258a75b70ce9924eabd59acbf439e4fb19dd373e1cf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3e611d75356b783c17e0f4b0e2d32e90
SHA1 575c244c4e663cf280511938decbd9fc3a1c7bcd
SHA256 62fe8e1bef20a2e667177580d49651ede7524fc0401c24cf21a6d05f2b6acb71
SHA512 865d0442a2e229abb0820a0ae66454e02aac2d15ba8c5a2f01285d048689cbe1297d31f064f2f01eef9e22eeac5e191f65a4bc6c3d4a6eb732fc46cd8444d53c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6b6c8b10c807a58931d8b7ff52835636
SHA1 58d9090b9da6a80c557c7789816fcb5f6852e107
SHA256 4262744c75b1056d8f14fa8f63aeeda2bc2e296fffc0561e2f7bb437ad3d71ec
SHA512 aafc477c8b314a88ac8de575eb5149ee35fcc4d822a2f1b67fde7a8c55bc2370ee4608c4d2859ab066701bfcff58d7feb5a1f86deb1984651d394dd3e0fdb21e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6e3494c3e77aaa324e5f8d1da258863d
SHA1 7066809650531cbd6f3bdd6e1a18028db26bdf31
SHA256 103bfaaa9dc834c23f6d5de349523ac8262858a5979a71b96be6b240f118981a
SHA512 38956b866cbbac153b30ee4bda5df0f44fa2df5124f808b8f319ca198f48cfb386be1fa053b4603bb2965f8c1684e5f004f5d9c6e2d0cfeeec729c380c0513a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b46aa.TMP

MD5 d093046c6f62903c25b1dbdf5e3316fe
SHA1 ce607cbdb65a26ff34c19f9d07afa6df344c656f
SHA256 04b55aea2d4d2847e7ad1e25def80c9d9e2ac58affb3d4b668e2a689da16fa5b
SHA512 cbc3415f01d7cf3f59fd2e856d80bba5c962cc3dbb3ad229a64ca5bb407785e2b818ca5d5d4112fbaa71a40eec5521ddcaf25cea0512c5a825db4072a3b2906c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d652e41c5d676c921688fa59a81fe8e5
SHA1 aa35da4e135023b6d2f918867e00f55a2230449e
SHA256 b2fb6636a33974fef0902d8d960d750bfcac002a3372518367b96c5be596684d
SHA512 2f5119a6d24e5bf31fa059c72d554e17cce41d56948b395b259107d5d3d670acbfc41b5b22de007feb2ff232e6819657eccf76741d601aaa9f9f1f6b545114e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3670cf3245d8677c0582127543935480
SHA1 17d812cd8990bb40d8b6853b192e55d394be8997
SHA256 30991d9b98830df65aeda166e610207d67baad44e8b2af65bc2e0e2ecd55ae79
SHA512 7257f1ccc6866d799f2bfa2f20e54e40c1e655143480c0fac15a800199d81b1521fae2c62c8fac4bebc414bc28e6c0a74658fd30cd96c2ea5d2380cb655ac709

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 64def8baf10d553b773278ae9a2b666f
SHA1 5b96ed79ed129251529d967c2cbd6b2d74aad2b9
SHA256 656befaabf16da9a446896590719fda5cde270bd609496c8c9f0507b23bbb591
SHA512 691fb3ff245dd8109a9bef067a85e8d0763d6fa0cd303a2a646531349556e6e13c8c814d2eb5d0dc788ded7e21eb026b5995ab9cd48d1357df4cf37d81dd41bc

C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.17-win-x64.exe

MD5 fd66da4bbc7838f2d548c80adfdf0387
SHA1 44026603adf5260c07fd5cde058c61f8a0481e44
SHA256 5c442f22f399408ec56c94204ab55c2fa6be2966c545feae6f2589b3100a3406
SHA512 c8cc217acdc36c951fe6abea638fc1f8967e3f4d1eb37e2a44eeb2056f15af7186b875942f34ea8b2785f0877b60ae275c02297988e069a6b5e89882debb1bbe

C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{9F442033-F1C7-437F-8A65-F500CA40E13C}\.be\windowsdesktop-runtime-7.0.17-win-x64.exe

MD5 9a4a515072b4b95c4172c7f42c355881
SHA1 6d9c7baff5012192665ee05a28b5236f7965ec91
SHA256 5fff377298dc84781cd9ccf6ca7b30c1b917774ddc9bd16b6fb5e51525b0a9f0
SHA512 f34b84d38e11a1dc6a67b48f2350800451797a502c9100d20bf88f332477d8926abd03d570400a2201acf518b4c414ea7079c39465da6b19696254c5d06dbabc

C:\Windows\Installer\e598a1d.msi

MD5 e15fbf7a8a963e9488da1bce2aab2008
SHA1 3b3be9012b79e291d9afdbcfb329e7a5edb514fd
SHA256 43a85b212dc8bd07fa24e8234e566c0b5b3e3be74447d2f3c91863d8d7d50e8c
SHA512 a169c9329ef01ac3f6ead9949810c67f4a23aefe6c366805336566f9209cb890ccf78e5b55563e44ad6125d28787c505c1e2fc91e7c9dcfafb20fb9c96261ad0

C:\Config.Msi\e598a1c.rbs

MD5 7c95941440a143ed169f710e7173ab97
SHA1 27138440f6cdec99c8dfee83a515c4e402eaabfb
SHA256 9094fd7f58ac9b363d2ea10bd17b93177d72959178b4c15c3d083155bf05e2dc
SHA512 9c0b1c7f0b7c2ecd9581216bd73e185bd444b02b032e735b4a8467eca2d0f1a5aaca5fb4c64f1052b7bf872a4e7be708ecacbd2c2ecdeb3a6203e93dae2a76c9

C:\Windows\Installer\MSI6D41.tmp

MD5 c0777f5c9995b8c0b08ed33cee7e1008
SHA1 12f08bb8febedb3f16b22bf94bc47c5c3910a477
SHA256 cf531f10cb410f4825bab4fd4b15df8e02cb9a18505a3a3b05c4c2f4ccaf90d3
SHA512 a3478bc42730169abcb7635f1f73bc8b1a639fe2094c7e3866d8321b6efdf0740f8867dccdd5fb1b12f73b8e89a51758280ab9c3d184d36a7b86f3f91ac9dc0a

C:\Windows\Installer\e598a1e.msi

MD5 11a825cc2f5527b9dca7467b5650d01f
SHA1 b2d7978a1c1c3d769926b794036d2ae5fc173fac
SHA256 af62031d31f0c5d1ced8ed3437d292bcdae409fe9c1092a6f057dd0618fbeaf8
SHA512 6c86827a72e1188cd0fa6eadbd1829d8b8373b1b7182696ed8586d79d3bb94f8c4dadb4239401eccba20f1ec49f8c786e914354f00300a5ab9fdab461edb6591

C:\Config.Msi\e598a21.rbs

MD5 0f5aeaf257ec11231913b35585890f8d
SHA1 c16a3d8362d504b67e0260e188b76a098ed2ca29
SHA256 c761437b86880e74eb708b37408a8c876e48979b198ac634a444d8cba8655d82
SHA512 c8bcf911de3480aed158a0936e8e4dae4944fd2d58fbb45d4b89f855d9db03e485c2c4af79a1c7b5abe296d6765bf8f371dbe2dc06b7a04698c553311266fb4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4054716daa369331752f056cebfa98c0
SHA1 fcf1762528644bce3d29f4332d2b38d2f6f3bb94
SHA256 1ba8cda68b87e4e02b349cd1421edea743c58b77cc793f4300240318ccfe0ebb
SHA512 ee20708e16c8d27b957fd093f7c188d7c3ee5cfca294b6f6b3f853e37c63317a36451086858adc21f61de40f3f36873572fd370d6aa1b2e9f52dbe26ec72a29c

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 5c13a5ea8c8cc3474240981d0ffa88ff
SHA1 1d8d3ce27d9dc3d9fb4fa4b06c20137d25879d80
SHA256 4f9bb3901879bafae3a17c6c4009ee5c15384a06fc234bed78937969079c77da
SHA512 32ea79ff5194d8a18e75f277aed5610b4955db15b0abbcc2664cf07f372bebfc57eb665ad078dc3da3ce5ee0d8856140c2a1bc7032b578dd103d43998d682d88

C:\Config.Msi\e598a26.rbs

MD5 6cb1384a5b184e2f10ba259bdb77a871
SHA1 6d7b8f581047b3b7e70a6dbd3edae0948fb98545
SHA256 2b345c80bb9d2ee07179b7f7434d362485453c12259cd49f4a01f6ae564e249c
SHA512 2b4bd4da313bc1605c216406ebb285bee595e6ed0856f34b5cc9fc3fda15d6d25fed6a70e79de2f4f894e5c1ec48af62c440f1adc597f5eaaf133ef0ade3f596

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 45b08534c45d636b425022f38f07dcbc
SHA1 4db88b346f590b8a1a99804bbae968da1d520d6a
SHA256 f4fd4e1b414e455503fa6df3d1f32185ced2fa3fdd9cd4848b8f5a7ce71efb6d
SHA512 83744b19baa81006976a696989b513f2b0343a5acb36495a74a70ee33efe3d0dba1ac1619e1712256814c9082bc45c3d7fd1b44438f4f87531eae8cacc767e03

C:\Windows\Installer\e598a2d.msi

MD5 5783d0b143091b222292bb0dc983f04a
SHA1 6f35c3202a162d14ec62fca94613553ec120ca8e
SHA256 49a7758ffd434befeace7137d907afab0ad891e54a320641b5e2c09e7af0f91a
SHA512 56bf629eead8facdf6c21f5b4c667daeaf8ab569ead4b3482d68748588b8fc71760c1169be04c85da8dc44bf5ae5f92efcd81e8578f24bea048a654c64527765

C:\Config.Msi\e598a2c.rbs

MD5 95f25f00ae83b1277b653b1f339acd9b
SHA1 757d082c18f19289f05c26dec5e53de137e9622f
SHA256 9e53a43b0c6239446229a265b2bacd2886022e3ec8841d7b224194ea93cccb70
SHA512 f09dd23561970c394b730b40c6418a09779dfdccb2dbd96c06f7ddf28d41da175a9e55ebc79e3e26772fbec29392b916882a76542e603b2a9a931d196790c9f0

memory/1924-1393-0x00007FFFA2C30000-0x00007FFFA2C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5nolfmy.daw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2296-1407-0x000001B1E7EE0000-0x000001B1E7F02000-memory.dmp

memory/2296-1412-0x00007FFFC4D70000-0x00007FFFC5831000-memory.dmp

memory/2296-1413-0x000001B1E7FA0000-0x000001B1E7FB0000-memory.dmp

memory/2296-1414-0x000001B1E7FA0000-0x000001B1E7FB0000-memory.dmp

memory/2296-1415-0x000001B1E7FB0000-0x000001B1E7FF4000-memory.dmp

memory/2296-1416-0x000001B1E9B40000-0x000001B1E9BB6000-memory.dmp

memory/2296-1418-0x00007FFFC4D70000-0x00007FFFC5831000-memory.dmp

memory/2296-1420-0x000001B1E7FA0000-0x000001B1E7FB0000-memory.dmp

memory/2296-1422-0x000001B1E8000000-0x000001B1E801E000-memory.dmp

memory/2680-1433-0x00007FFFA2C30000-0x00007FFFA2C40000-memory.dmp

C:\Users\Admin\AppData\LocalLow\CosmosLauncher\config.ini

MD5 b89988ba8ee484389bd26e6831203f79
SHA1 4bbac5af54a3d6f2b400171ce9260ac927cedfa5
SHA256 60234e75c41716def3922d7a20ffde4ec76d833a5f1512dbe45384f571859d9c
SHA512 7324acc9075eb66768f3db5d59b4151f293e45b7b9447828fbd0185589f89d9fc419e5c9306d35d1ae6118ab6cf3729c454be9f80f06ca71b99a2f8ac8f93ce5