3b202fe7631903ca7dce2c4c58b1ca5b2445af9e4bd7a5a2e65de20da48e05c0

Analysis

max time kernel
59s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2023, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Office Tool Plus.exe
Size

4.4MB
MD5

9cf2d306b7c36774c2bd88697015dd11
SHA1

b02d8b7665c87fd0892db621812eecaf4d3b9d2f
SHA256

3b202fe7631903ca7dce2c4c58b1ca5b2445af9e4bd7a5a2e65de20da48e05c0
SHA512

227e54de2e1da5185461d82524acf3c1df4623032e323e1c499d3db720e1e1b5a27a3c1ddce7ca7118c0a1d85acb369ace8f491a6ca5ef510632a73b341224cd
SSDEEP

49152:3Xb+SD18VMNODw600948jQkfZUi58oVKv4F6bXhv:b+c18VMiwAhjN1Go67

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4440	windowsdesktop-runtime-6.0.13-win-x86.exe
4064	windowsdesktop-runtime-6.0.13-win-x86.exe
3280	windowsdesktop-runtime-6.0.13-win-x86.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-6.0.13-win-x86.exe

Loads dropped DLL 5 IoCs

pid	Process
4064	windowsdesktop-runtime-6.0.13-win-x86.exe
3548	MsiExec.exe
2164	MsiExec.exe
3552	MsiExec.exe
4752	MsiExec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	windowsdesktop-runtime-6.0.13-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d0da1241-5784-4a15-98a5-cf37e3f102e6} = "\"C:\\ProgramData\\Package Cache\\{d0da1241-5784-4a15-98a5-cf37e3f102e6}\\windowsdesktop-runtime-6.0.13-win-x86.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.13-win-x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\clretwrc.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\it\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.ComponentModel.Annotations.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Configuration.ConfigurationManager.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ko\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\PresentationNative_cor3.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Windows.Input.Manipulations.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\es\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ru\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\it\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\WindowsBase.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Data.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Transactions.Local.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pl\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Windows.Forms.Design.Editors.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Windows.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Dynamic.Runtime.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Threading.AccessControl.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Diagnostics.EventLog.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hant\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ko\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.13 (x86).swidtag	windowsdesktop-runtime-6.0.13-win-x86.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Collections.Specialized.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hant\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ru\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Collections.NonGeneric.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\PresentationFramework-SystemData.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ru\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\fr\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\WindowsFormsIntegration.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\System.Windows.Forms.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.IO.Compression.FileSystem.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\cs\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\Microsoft.Win32.Registry.AccessControl.dll	msiexec.exe
File created	C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.IO.Compression.dll	msiexec.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI33B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38A8.tmp	msiexec.exe
File created	C:\Windows\Installer\e57180c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e571818.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3123.tmp	msiexec.exe
File created	C:\Windows\Installer\e571813.msi	msiexec.exe
File created	C:\Windows\Installer\e571814.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571814.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3916.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BD5.tmp	msiexec.exe
File created	C:\Windows\Installer\e571810.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571810.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A0047888-886B-41B9-8080-0E8DC3539B81}	msiexec.exe
File created	C:\Windows\Installer\e571817.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2896.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI355B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{41E9A2CE-CF7F-4F2E-80FD-50FDCBB8F286}	msiexec.exe
File created	C:\Windows\Installer\e571818.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3FAF.tmp	msiexec.exe
File created	C:\Windows\Installer\e57181b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57180c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{87EA745D-32DA-4DCA-9ED4-BF4BA6232E1E}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ACFA81A9-FD2F-4731-BE64-9163E3E9FF58}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57180f.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x86\Dependents\{d0da1241-5784-4a15-98a5-cf37e3f102e6}	windowsdesktop-runtime-6.0.13-win-x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0621CE985F15E064E466B0A015ABF481\9A18AFCAF2DF1374EB4619363E9EFF85	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x86\ = "{87EA745D-32DA-4DCA-9ED4-BF4BA6232E1E}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D547AE78AD23ACD4E94DFBB46A32E2E1\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x86\ = "{ACFA81A9-FD2F-4731-BE64-9163E3E9FF58}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x86\Dependents	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5636A508027562B63D6A56E814E5422B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\SourceList\PackageName = "dotnet-host-6.0.13-win-x86.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x86\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.13 (x86)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8887400AB6889B140808E0D83C35B918	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\ProductName = "Microsoft .NET Host FX Resolver - 6.0.13 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\SourceList\PackageName = "dotnet-hostfxr-6.0.13-win-x86.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83\EC2A9E14F7FCE2F408DF05DFBC8B2F68	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8887400AB6889B140808E0D83C35B918\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EC2A9E14F7FCE2F408DF05DFBC8B2F68\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{41E9A2CE-CF7F-4F2E-80FD-50FDCBB8F286}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{87EA745D-32DA-4DCA-9ED4-BF4BA6232E1E}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x86\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.13 (x86)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\PackageCode = "85A554BAA07FE3A4098C791A47844683"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{ACFA81A9-FD2F-4731-BE64-9163E3E9FF58}v48.55.53270\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d0da1241-5784-4a15-98a5-cf37e3f102e6}\Dependents	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x86	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\PackageCode = "F4C58A393AEF656478D5BFF1745871FD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x86\Version = "48.55.52137"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D547AE78AD23ACD4E94DFBB46A32E2E1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5636A508027562B63D6A56E814E5422B\8887400AB6889B140808E0D83C35B918	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A0047888-886B-41B9-8080-0E8DC3539B81}v48.55.52137\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x86	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{d0da1241-5784-4a15-98a5-cf37e3f102e6}	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EC2A9E14F7FCE2F408DF05DFBC8B2F68\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x86	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x86\Dependents\{d0da1241-5784-4a15-98a5-cf37e3f102e6}	windowsdesktop-runtime-6.0.13-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.55.53270_x86\Version = "48.55.53270"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d0da1241-5784-4a15-98a5-cf37e3f102e6}\ = "{d0da1241-5784-4a15-98a5-cf37e3f102e6}"	windowsdesktop-runtime-6.0.13-win-x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d0da1241-5784-4a15-98a5-cf37e3f102e6}\Dependents\{d0da1241-5784-4a15-98a5-cf37e3f102e6}	windowsdesktop-runtime-6.0.13-win-x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x86\ = "{A0047888-886B-41B9-8080-0E8DC3539B81}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D547AE78AD23ACD4E94DFBB46A32E2E1\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8887400AB6889B140808E0D83C35B918\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\ = "{41E9A2CE-CF7F-4F2E-80FD-50FDCBB8F286}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A18AFCAF2DF1374EB4619363E9EFF85\SourceList\Net	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 363979.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2124	msedge.exe
2124	msedge.exe
2640	msedge.exe
2640	msedge.exe
2740	identity_helper.exe
2740	identity_helper.exe
1084	msedge.exe
1084	msedge.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe
1668	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeIncreaseQuotaPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSecurityPrivilege	1668	msiexec.exe
Token: SeCreateTokenPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeAssignPrimaryTokenPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeLockMemoryPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeIncreaseQuotaPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeMachineAccountPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeTcbPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSecurityPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeTakeOwnershipPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeLoadDriverPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSystemProfilePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSystemtimePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeProfSingleProcessPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeIncBasePriorityPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeCreatePagefilePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeCreatePermanentPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeBackupPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeRestorePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeShutdownPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeDebugPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeAuditPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSystemEnvironmentPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeChangeNotifyPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeRemoteShutdownPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeUndockPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeSyncAgentPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeEnableDelegationPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeManageVolumePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeImpersonatePrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeCreateGlobalPrivilege	3280	windowsdesktop-runtime-6.0.13-win-x86.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
2640	msedge.exe
4064	windowsdesktop-runtime-6.0.13-win-x86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2640	4800	Office Tool Plus.exe	86
PID 4800 wrote to memory of 2640	4800	Office Tool Plus.exe	86
PID 2640 wrote to memory of 2420	2640	msedge.exe	88
PID 2640 wrote to memory of 2420	2640	msedge.exe	88
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2600	2640	msedge.exe	91
PID 2640 wrote to memory of 2124	2640	msedge.exe	92
PID 2640 wrote to memory of 2124	2640	msedge.exe	92
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93
PID 2640 wrote to memory of 5100	2640	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\Office Tool Plus.exe
"C:\Users\Admin\AppData\Local\Temp\Office Tool Plus.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=6.0.12&gui=true
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff1d8446f8,0x7fff1d844708,0x7fff1d844718
    3⤵
    PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 /prefetch:8
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5464 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
    3⤵
    PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 /prefetch:8
    3⤵
    PID:1436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6024 /prefetch:8
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6744 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:2108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72ff65460,0x7ff72ff65470,0x7ff72ff65480
      4⤵
      PID:792
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6744 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,3684371384500882208,6919436937986701891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1084
- - C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x86.exe
    "C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x86.exe"
    3⤵
    - Executes dropped EXE
    PID:4440
  - - C:\Windows\Temp\{C832521A-0810-4165-9EC7-C136107361AE}\.cr\windowsdesktop-runtime-6.0.13-win-x86.exe
      "C:\Windows\Temp\{C832521A-0810-4165-9EC7-C136107361AE}\.cr\windowsdesktop-runtime-6.0.13-win-x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x86.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:4064
    - - C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\.be\windowsdesktop-runtime-6.0.13-win-x86.exe
        
        "C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\.be\windowsdesktop-runtime-6.0.13-win-x86.exe" -q -burn.elevated BurnPipe.{4858B220-A9FB-4E6C-B1DB-0B5C5553AF10} {70FA4346-7687-423D-8D48-00E860BB056D} 4064
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A75A4682FACCAB0FC9B55F16F45D5373
  2⤵
  - Loads dropped DLL
  PID:3548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 75699E65ACBF236BCCE7347C8520D4AD
  2⤵
  - Loads dropped DLL
  PID:2164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F3323308B7119E571D7444E5AFF12C2E
  2⤵
  - Loads dropped DLL
  PID:3552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C8E66F8C27059F3DD3484D9B0AAE5EDC
  2⤵
  - Loads dropped DLL
  PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.13_(x86)_20230111165459_000_dotnet_runtime_6.0.13_win_x86.msi.log

Filesize
4KB

MD5
c1fa05da6dd87b130fc02b809ab8b50b

SHA1
10f5ec3325a420efe32302d1738dab1a50e61a4b

SHA256
74f9ac28f448ce8483f1692353408fa2948fbe293927918bbec9375f8f74c170

SHA512
cb7729bbb954ce1b9f4d5d38dff61674d265eb2b3ca51649f85b59634266500b38ef354dbf9c094e0a6e6594485f30f2bf007b15e5a78e7cf8271de047ae77fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.13_(x86)_20230111165459_001_dotnet_hostfxr_6.0.13_win_x86.msi.log

Filesize
2KB

MD5
dc202bd5cdb76115d6053d94722f944e

SHA1
e6b9f08e87ce8bb6e40af8a18d3f9d83346e33b0

SHA256
7f05f95319788956c5acfea58a432bfa247a74837b79a15da5d37af9867c3156

SHA512
3c6e88c9f8a329f4636200ddbbc4ed2cb4b9c41f0ab63821fedfc52e35f730f77c04c5ec73c269a2616bc9389389981ac5e564b9b3933ac702a80e85cec31771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.13_(x86)_20230111165459_002_dotnet_host_6.0.13_win_x86.msi.log

Filesize
2KB

MD5
2c5c74f16accc6eb26a2b04a7361f784

SHA1
9b977cd359e41d92d0465b2d68dcafaa84f3efc9

SHA256
e60bf37e48caf02f56e13e4302b4c0c014d79d314d6e6a3eb8a046cd9ceaf243

SHA512
9241579de144e898bec4a1dcd8bad3d3dfa3f17e538ca7a37f12b17acdb90e3408020d4435d4ffa9ecd7505081a8c57768e161cc29cb4d3709477339038283bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.13_(x86)_20230111165459_003_windowsdesktop_runtime_6.0.13_win_x86.msi.log

Filesize
2KB

MD5
ba3ee04b317877dcd93056fdb6a8b5e5

SHA1
d1775d0667a714a5b454a07507acebc692ee5180

SHA256
2c4bb29e24606a82b20962f988e475e31689c90ac03f3c167f51e1d59b906121

SHA512
f87ade5dba23730be1e4e84261bbdf50a71e66bf77662f898fa40cfe07b16473387137b62f0ff613b428a5190ac1456c0f7ed4fe51613c183a532d72a0dbdd52

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
49.6MB

MD5
27e8e8fd587e5c3a3789105dd78d554e

SHA1
1181aa4e3a14a7ec2ddc22fc473ea316ac7c55d4

SHA256
bf8f4a1dedf6a056e6139b28d8a9c23cf8893c7e26de8a82528efb652f6f6068

SHA512
4b4458212b159f37a9f369d6034a6a59796513582a4114c309337cb1989a0e3acb6a9bb67ac5cf0553d8473fef46777e3bf2f37cefae20d29888044333acba27

Download Submit
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
49.6MB

MD5
27e8e8fd587e5c3a3789105dd78d554e

SHA1
1181aa4e3a14a7ec2ddc22fc473ea316ac7c55d4

SHA256
bf8f4a1dedf6a056e6139b28d8a9c23cf8893c7e26de8a82528efb652f6f6068

SHA512
4b4458212b159f37a9f369d6034a6a59796513582a4114c309337cb1989a0e3acb6a9bb67ac5cf0553d8473fef46777e3bf2f37cefae20d29888044333acba27

Download Submit
C:\Windows\Installer\MSI3123.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3123.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI355B.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI355B.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3916.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3916.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI4BD5.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI4BD5.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\.be\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
610KB

MD5
a3553603e293c13b5b3d71d2ca821d53

SHA1
78f9e04b8d61915600224c8356e565a72b5d7b7d

SHA256
146c9655269cbf152f1d1f33b825abc2bfb57f5e01abe90a640d21e80c535149

SHA512
0c695d8b28938f0e5bb0f80101f904a56402b1b38582c52235568e3a22efc9e6d1314031934b4e18b17cde9000d8c69f2c2a6a2feb574c93a1ce674b2ac38ff0

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\.be\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
610KB

MD5
a3553603e293c13b5b3d71d2ca821d53

SHA1
78f9e04b8d61915600224c8356e565a72b5d7b7d

SHA256
146c9655269cbf152f1d1f33b825abc2bfb57f5e01abe90a640d21e80c535149

SHA512
0c695d8b28938f0e5bb0f80101f904a56402b1b38582c52235568e3a22efc9e6d1314031934b4e18b17cde9000d8c69f2c2a6a2feb574c93a1ce674b2ac38ff0

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\dotnet_host_6.0.13_win_x86.msi

Filesize
728KB

MD5
a1517a6bf27988deb631b8a6faaa45b9

SHA1
78dfbbe9269bec6467205c95c4827eae0261f399

SHA256
655f5b2518b828be7db7c5c73349ce01dcb5ffc1424883cd369e3023d01b274f

SHA512
9bf25d5ca687b484a0d27a2bdc641bfc6f285f980214110647a957fdf5b1430770ef2eac1374a140ba3c11af9904cddedf69638a636506d7aa1a3d43b6ea9aba

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\dotnet_hostfxr_6.0.13_win_x86.msi

Filesize
784KB

MD5
d1fac2500de8afcb9358bd5b74702bb0

SHA1
e6ad79e196f565e7fdd337738a1d96ccc9a1ad86

SHA256
9afba4fbe7dfe4ea9d0ab3e3b450dc282781f89b103984d222918dba70a2c2d7

SHA512
90118932e15b77feb8eb470dbc8a77be3f62e8c6df723008a4ac855bf8e71552145a86fbd24c2c716c8b80c480415e4ab1d1ace0e479425f6c078ee86857facd

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\dotnet_runtime_6.0.13_win_x86.msi

Filesize
23.4MB

MD5
e5b6a59690fa9fadc0e37e8e54ae1155

SHA1
9ef5fb1046e60c572aca217fa25b629715c2f42a

SHA256
6c080efe64d2e6ecc2aed5cc38ad4db2511ec6559461a4af9656abb8de6df18b

SHA512
681a17558cdd553b2c75e3a372dee14a07116506bfcdf3f5b947c15f3988cf00e1e0509ad715c2572ddb55c5709a143b70b5ce183d02265ccc9dea61f9337494

Download Submit
C:\Windows\Temp\{7205006B-E364-453A-B512-DD4E7D3B273A}\windowsdesktop_runtime_6.0.13_win_x86.msi

Filesize
25.8MB

MD5
6a3d2549c323aac6c9fd276f0a547e75

SHA1
f6a68264fdecea577a9dce7ac57712cb5f1d74f2

SHA256
512e166cfc6a0656a45bcb081587fe7d0e9125c8119612654dd096a9e4316300

SHA512
faab3643a1354bb66b7be2d9f45d99275a8180120915514d80dcbe75e1249a6847cf4e873a752a3f6cc1d625df5379ea53fbe4a4bf6aee7d03bbdd470181caf8

Download Submit
C:\Windows\Temp\{C832521A-0810-4165-9EC7-C136107361AE}\.cr\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
610KB

MD5
a3553603e293c13b5b3d71d2ca821d53

SHA1
78f9e04b8d61915600224c8356e565a72b5d7b7d

SHA256
146c9655269cbf152f1d1f33b825abc2bfb57f5e01abe90a640d21e80c535149

SHA512
0c695d8b28938f0e5bb0f80101f904a56402b1b38582c52235568e3a22efc9e6d1314031934b4e18b17cde9000d8c69f2c2a6a2feb574c93a1ce674b2ac38ff0

Download Submit
C:\Windows\Temp\{C832521A-0810-4165-9EC7-C136107361AE}\.cr\windowsdesktop-runtime-6.0.13-win-x86.exe

Filesize
610KB

MD5
a3553603e293c13b5b3d71d2ca821d53

SHA1
78f9e04b8d61915600224c8356e565a72b5d7b7d

SHA256
146c9655269cbf152f1d1f33b825abc2bfb57f5e01abe90a640d21e80c535149

SHA512
0c695d8b28938f0e5bb0f80101f904a56402b1b38582c52235568e3a22efc9e6d1314031934b4e18b17cde9000d8c69f2c2a6a2feb574c93a1ce674b2ac38ff0

Download Submit