b812dbd07dec698b2b4b97d68643b2f494659c1c0c13b215abbe077c0facaa09

Analysis

max time kernel
52s
max time network
55s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
05-08-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-6.0.20-win-x64.exe
Size

54.7MB
MD5

2dd697493474c5b7329f012364580ad6
SHA1

ac76529b02e3c2704eae53229051dcab00508296
SHA256

b812dbd07dec698b2b4b97d68643b2f494659c1c0c13b215abbe077c0facaa09
SHA512

eefd2e2dabb633b0d6c7e523dbdf072c9634088cc6d38c63aaa17c004e38366bcf2dcf5305093b5279a7366c11e177366ceb9d48c14600e140f2efef6caa6308
SSDEEP

1572864:tOn0f2waM91i2rFqo5Mst0rqzAHVuKtRBYcAmCQp9sqV:tJBaKi2rIoplKQ2Dp6qV

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	2760	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8e256e2b-a36f-4f85-a4c7-37fdf661778c} = "\"C:\\ProgramData\\Package Cache\\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}\\windowsdesktop-runtime-6.0.20-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.20-win-x64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\PresentationFramework.Luna.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Data.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Xml.ReaderWriter.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\tr\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\pl\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\cs\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\fr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\Microsoft.WindowsDesktop.App.deps.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Runtime.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Net.NameResolution.dll	msiexec.exe
File created	C:\Program Files\dotnet\LICENSE.txt	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\vcruntime140_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\zh-Hant\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ko\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\pt-BR\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\es\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Runtime.Serialization.Xml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ja\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Dynamic.Runtime.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\zh-Hant\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\de\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\it\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\mscordaccore.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.ObjectModel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\fr\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Drawing.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Net.HttpListener.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Diagnostics.FileVersionInfo.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\Microsoft.NETCore.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ru\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ja\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.ComponentModel.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\fr\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\it\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\cs\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\mscorlib.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Xml.Serialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ru\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\pt-BR\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\Microsoft.NETCore.App.deps.json	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\de\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\netstandard.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ru\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\es\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ru\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Collections.Specialized.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\tr\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.20\ru\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Resources.Writer.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.Console.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\System.IO.FileSystem.DriveInfo.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.20\Microsoft.CSharp.dll	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f770dbd.msi	msiexec.exe
File created	C:\Windows\Installer\f770dc3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dc6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI454F.tmp	msiexec.exe
File created	C:\Windows\Installer\f770dc9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dcc.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f770dc6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI528B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2032.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dc9.msi	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	windowsdesktop-runtime-6.0.20-win-x64.exe
File opened for modification	C:\Windows\Installer\MSI4387.tmp	msiexec.exe
File created	C:\Windows\Installer\f770dc8.msi	msiexec.exe
File created	C:\Windows\Installer\f770dcc.ipi	msiexec.exe
File created	C:\Windows\Installer\f770dba.ipi	msiexec.exe
File created	C:\Windows\Installer\f770dbc.msi	msiexec.exe
File created	C:\Windows\Installer\f770dc0.ipi	msiexec.exe
File created	C:\Windows\Installer\f770dce.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD7.tmp	msiexec.exe
File created	C:\Windows\Installer\f770db7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770db7.msi	msiexec.exe
File created	C:\Windows\Installer\f770dbd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38D7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dba.ipi	msiexec.exe
File created	C:\Windows\Installer\f770dc2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dc0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f770dc3.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2176	windowsdesktop-runtime-6.0.20-win-x64.exe
2944	windowsdesktop-runtime-6.0.20-win-x64.exe

Loads dropped DLL 9 IoCs

pid	Process
2652	windowsdesktop-runtime-6.0.20-win-x64.exe
2176	windowsdesktop-runtime-6.0.20-win-x64.exe
2176	windowsdesktop-runtime-6.0.20-win-x64.exe
3032	MsiExec.exe
2784	MsiExec.exe
2760	msiexec.exe
2760	msiexec.exe
2428	MsiExec.exe
2404	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\SourceList\PackageName = "dotnet-host-6.0.20-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BC1DDE5F135566545E8FC7ABA57AD68B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.83.63169_x64	windowsdesktop-runtime-6.0.20-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D9DC17FDEDF5FBB62217C658C5FD52EB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}\Dependents\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C8DA8EC65D6E7FB4193CF718605ADC39	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C8DA8EC65D6E7FB4193CF718605ADC39\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.83.63169_x64\Dependents\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.20 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{6CE8AD8C-E6D5-4BF7-91C3-7F8106A5CD93}v48.83.63169\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF20AF67F306BB84E9F371DED58B168E\Provider	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF20AF67F306BB84E9F371DED58B168E	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.83.63194_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\ProductName = "Microsoft .NET Runtime - 6.0.20 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.83.63194_x64\Dependents	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\Version = "810809050"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.83.63169_x64\Version = "48.83.63169"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{217B2755-3BAD-486B-9606-CCD0E6CF3BE8}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5572B712DAB3B6846960CC0D6EFCB38E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1DE13535084E21049921FBC17645B73F\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.83.63194_x64\Dependents\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF20AF67F306BB84E9F371DED58B168E\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1DE13535084E21049921FBC17645B73F	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.83.63169_x64\Dependents	windowsdesktop-runtime-6.0.20-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\ProductName = "Microsoft Windows Desktop Runtime - 6.0.20 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}\Version = "6.0.20.32621"	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.20 (x64)"	windowsdesktop-runtime-6.0.20-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\PackageCode = "F5A772B7D8D9F434D97FA4D4D7D2E3F6"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.83.63169_x64\ = "{6CE8AD8C-E6D5-4BF7-91C3-7F8106A5CD93}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C8DA8EC65D6E7FB4193CF718605ADC39\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\Version = "810809025"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.83.63169_x64\DisplayName = "Microsoft .NET Host FX Resolver - 6.0.20 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D9DC17FDEDF5FBB62217C658C5FD52EB\1DE13535084E21049921FBC17645B73F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{53531ED1-E480-4012-9912-BF1C67547BF3}v48.83.63194\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.83.63169_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5572B712DAB3B6846960CC0D6EFCB38E\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\351A73AF74553A675EA384D104081E6B\C8DA8EC65D6E7FB4193CF718605ADC39	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1DE13535084E21049921FBC17645B73F\PackageCode = "773D4AFECCF02074EB1DAF2CBE57D800"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF20AF67F306BB84E9F371DED58B168E\SourceList\PackageName = "dotnet-hostfxr-6.0.20-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5572B712DAB3B6846960CC0D6EFCB38E\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}\ = "{8e256e2b-a36f-4f85-a4c7-37fdf661778c}"	windowsdesktop-runtime-6.0.20-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.83.63169_x64\Dependents\{8e256e2b-a36f-4f85-a4c7-37fdf661778c}	windowsdesktop-runtime-6.0.20-win-x64.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe
2760	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeSecurityPrivilege	2760	msiexec.exe
Token: SeCreateTokenPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeLockMemoryPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeMachineAccountPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeTcbPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeSecurityPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeTakeOwnershipPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeLoadDriverPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeSystemProfilePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeSystemtimePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeProfSingleProcessPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeIncBasePriorityPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeCreatePagefilePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeCreatePermanentPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeBackupPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeRestorePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeShutdownPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeDebugPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeAuditPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeSystemEnvironmentPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeChangeNotifyPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeRemoteShutdownPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeUndockPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeSyncAgentPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeEnableDelegationPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeManageVolumePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeImpersonatePrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeCreateGlobalPrivilege	2944	windowsdesktop-runtime-6.0.20-win-x64.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe
Token: SeRestorePrivilege	2760	msiexec.exe
Token: SeTakeOwnershipPrivilege	2760	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2176	windowsdesktop-runtime-6.0.20-win-x64.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2652 wrote to memory of 2176	2652	windowsdesktop-runtime-6.0.20-win-x64.exe	28
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2176 wrote to memory of 2944	2176	windowsdesktop-runtime-6.0.20-win-x64.exe	31
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 3032	2760	msiexec.exe	33
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2784	2760	msiexec.exe	34
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2428	2760	msiexec.exe	35
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36
PID 2760 wrote to memory of 2404	2760	msiexec.exe	36

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.20-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.20-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\Temp\{1BBC6DFC-A104-499A-9551-B3D4EF486643}\.cr\windowsdesktop-runtime-6.0.20-win-x64.exe
  "C:\Windows\Temp\{1BBC6DFC-A104-499A-9551-B3D4EF486643}\.cr\windowsdesktop-runtime-6.0.20-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.20-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe
    "C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe" -q -burn.elevated BurnPipe.{4312775C-C9C5-44BF-9593-552506A77A1D} {2E852BCB-0ABA-4594-9CF2-835FEA388106} 2176
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A5D0F8E94295C08159A7B24E5FDC2E
  2⤵
  - Loads dropped DLL
  PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D1B6F1329F24C49917B2B1A4F4716EFC
  2⤵
  - Loads dropped DLL
  PID:2784
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DC7819B3F3C52D729A5FC5E85C21C1B
  2⤵
  - Loads dropped DLL
  PID:2428
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33717689D0C951AAE41C76B209039A3A
  2⤵
  - Loads dropped DLL
  PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f770dbb.rbs

Filesize
55KB

MD5
ce11cc556c32826ba9c09d5c2dd5104b

SHA1
69d97111e78f60c23fbcf97912b928bcdf6805fd

SHA256
f4738557f8e849657120a073922da4d13a0a68c664ea2621b677a7eb3d6421b1

SHA512
c32be444c7acaa25ebe6c23bdd65a1eeb5ea77f74805ae07cfe4764dcfb1231ca66b691216385af3d96651d3ed73619b4a02563e775e5ba8c695b9ba89b747b5

Download Submit
C:\Config.Msi\f770dc1.rbs

Filesize
8KB

MD5
0f1a66852b847071c84a78b7fd90cfd2

SHA1
1fbc0478203f9cd4233c39199e391dea803eff8c

SHA256
dcd80a3f830064ca3ca2ce1aec49dad305af0b7b99ac20d79f64f029d433c4bc

SHA512
69925beb008b6fb6fe7ded9f804c28ac0b88f3c053f2c87b1b0dbf2ae2b131a90fc971f977e4fcc0d7990d36daa20cff7246134e4a0395e47f615bff91a11087

Download Submit
C:\Config.Msi\f770dc7.rbs

Filesize
9KB

MD5
b9af644bb8d0fd3ceab74a91ddc220e2

SHA1
084c7cf7a751fe24f9394e56aaec448564d10700

SHA256
a9fadd4f073134cbc5a227bd623436d4fa6eb551fb288158f2bc882cda0f9ec0

SHA512
2c2d6de04e78d4d7369ae965074692b5b3eb9274ccd97e8b4f5028b91273c791b15b24da3715b9c6f712c426ea849ebee34f660dff5f9ad0941ede112266dca8

Download Submit
C:\Config.Msi\f770dcd.rbs

Filesize
86KB

MD5
bff3e78755d9fbe0249853b396fa0771

SHA1
9334d306b9c9b37cd671d748436fc6426d4504e0

SHA256
b292086c7faa64a35249430c8b6ad3e4fdd61a700cba2448476bd7fb8d248da5

SHA512
1b49551dc3e09d166a306d6c41ffffdabcdc4936dcf0b93b5a938119b2172bf7ed984778c044528e3e40ba39d1d3c4fd5a6faf4769637cf20b4e79063407c2bd

Download Submit
C:\Program Files\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
78KB

MD5
f77a4aecfaf4640d801eb6dcdfddc478

SHA1
7424710f255f6205ef559e4d7e281a3b701183bb

SHA256
d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

SHA512
1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
eb2430a96e86aaa60dff4c214d47b838

SHA1
8039dce0dd0d64b64e8f2ce43dd8be44a9d53554

SHA256
7917714d86b3b980c3258bb62fa913aa2b30554270cac1ea3a6738d275c91198

SHA512
3e3db57ee3ffc12be75816a6962807a5830306dd9bc23618c980a6a1f0ccf82a51d7a022e316685b0dc8d343f2eb93ca1cf9551f768bc15fb9221b1918057947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
94e69e6b3a5ab718d157045a55b1e813

SHA1
c44d9d1ede09fb1f2e0cbaca878db7c63bb2bb81

SHA256
fe41d8dea464cd860d25974723c3205238ccf2cd9076957382f847cdb617be3c

SHA512
d7ff6fd1eaac0896d231e4a2005ddca9d9f2162ffd9fb16a9db58b5b86052f1c6b6e14275c2c85023832b5e9f73db08e885dcfc7b2b0fbac07192974b9718c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3dc5a530b9c23216a43fb36094d82a73

SHA1
4fd1f7d77d5075eba4ddbb8275f86553711f5b08

SHA256
0b863b3b93582e4adec5f927fec3b75ccecd71af169bbec1358ce41f951f1d20

SHA512
181d1ceea47ff9eb522b5b178ccc507f2b5fb0b188a0fb75d47e60987212f5420bbb032533fffb2e3c94e3e9ac2ac85cbb89b37a2faba94918673a7237557688

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4E.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.20_(x64)_20230805010345_000_dotnet_runtime_6.0.20_win_x64.msi.log

Filesize
2KB

MD5
d69be17c1529991fa6d93a7113c91018

SHA1
b962c97a19b8c7a04de29b109e44b92f0542c42e

SHA256
267f87f832c81d0ff86f250bb9a5a9f6e8e6dc100352489ed0abebc5619b188b

SHA512
ba9944f85bd92bc619cbbcbb7b353accb9c549ac5820ce02fcda3ffbb04b6577e7984ac30f0e926a2e95d1aa73e20679e1ca048bf380ddc4fdb33109910f1745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.20_(x64)_20230805010345_001_dotnet_hostfxr_6.0.20_win_x64.msi.log

Filesize
2KB

MD5
311c1470ac016d59fcd2ef9f8a255ae0

SHA1
4c293591eddb684c359b7bcb1d736eb3301ec91c

SHA256
0babee0141234405f3578104a70a64822ff029c5341de1c5ed383cacf496fb20

SHA512
f56c668fcd3add25beb22b652cb1cd132bfa84515f2bb004e04c4e2ae66d8795614f8658593c2b155de99eb6cad77ca3292570808cde8158718faeb8167e695a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.20_(x64)_20230805010345_002_dotnet_host_6.0.20_win_x64.msi.log

Filesize
2KB

MD5
d7935afb7624b70f17a8b9debf813198

SHA1
1689bf208a6ba728db3371c613cb611d372b22bd

SHA256
69707095242075abf0910e85c317faa6d4bcd8ca3b58041da80431e170af87da

SHA512
79e7d471ebb4ae8962d74b39f022306856a24a72e83541a59de1f9b1827a51912c83964ff70bfbc5cda6869e811a492413e04a605158b1cc312ba3312abf2baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.20_(x64)_20230805010345_003_windowsdesktop_runtime_6.0.20_win_x64.msi.log

Filesize
2KB

MD5
eebee97a61997703f03402f026f01f4f

SHA1
b0fdfead74d4ac6108c1156872dedfa9de1033bb

SHA256
36640e8cfa112dae3adef922511ec0182024a2995223e574510cbd3437cb08a2

SHA512
32ee32ca43c8f9fee26d0a38727c3ea64ce7c7f123efb31113363ce3ea276de97e8940d3c349095a4697aa9f6b758579e2b311ec34db5ef711429b441a29ebab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF71.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Windows\Installer\MSI2AFE.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI3A21.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI454F.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI454F.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI5FD7.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\f770dbc.msi

Filesize
25.8MB

MD5
078ade8de5dc7e407a286ab952031389

SHA1
00811c7dd80e71a7d97fc1ec9f6c56cced81d33e

SHA256
bc6b4599371da2ab6cc19195dbb5d7ec30b4f9b1535bfee8056da9e1855689e7

SHA512
cf5d5330c279b7c9d721db873409e5b0a400bbfaa175dd7db251b8b7a6969249f847739acc5c6df00bc58191d2c6964c31f4dffa1b720715e027188c942ab591

Download Submit
C:\Windows\Installer\f770dbd.msi

Filesize
804KB

MD5
08914d16e9173ec7bcfa9efb2429b3e9

SHA1
8891064db8b6f55f932c62e5f13af5fdfbae382a

SHA256
52c21d71e67fac67115385d7066a9f80e3cf63ce55e2ff5645006c7dd5d68d2b

SHA512
33fce38ae2229f31552dd391c6afbc9c7ff688f029c31cde0915d032e32f7ee6a7e2b6083747d1c55db5d2004796a35c0de854e6a073baaed333aad5d95e8128

Download Submit
C:\Windows\Installer\f770dce.msi

Filesize
28.4MB

MD5
f8c53e111c603e5895109b0105bb015e

SHA1
5ba1b3ecc1395a7bcd51b122351abb4101e6785b

SHA256
96eaca7ff6f73dd5ff6c6588f023b1ea462bc98893175452c0ec96e265ace9b2

SHA512
66e5b00f1e63cb3c04b166bb466d56598b2047f55eba0d5b049bf01957fa88e23e0fbc3c95a3a3899e57d713f58ec2c7d5e93b9d0ba7563253889eeea5278a50

Download Submit
C:\Windows\Temp\{1BBC6DFC-A104-499A-9551-B3D4EF486643}\.cr\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
C:\Windows\Temp\{1BBC6DFC-A104-499A-9551-B3D4EF486643}\.cr\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\dotnet_host_6.0.20_win_x64.msi

Filesize
736KB

MD5
d33052a8145dfb8d9d7e819b1bf22471

SHA1
57c2add962115eeb81a8f33713bd0b0bcc87be24

SHA256
17283cf4bf63a5350ea1e7fdc9127703394bdfe49f830c047e5de6904a196f0d

SHA512
35a03b1b71983afa09fb777b621a69e8b0cfc4bd46a938b246a60230f17d08c2f277347abd14876fa92102754a64adacc2a310003e08d9f11160220a7c7cb1c2

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\dotnet_hostfxr_6.0.20_win_x64.msi

Filesize
804KB

MD5
08914d16e9173ec7bcfa9efb2429b3e9

SHA1
8891064db8b6f55f932c62e5f13af5fdfbae382a

SHA256
52c21d71e67fac67115385d7066a9f80e3cf63ce55e2ff5645006c7dd5d68d2b

SHA512
33fce38ae2229f31552dd391c6afbc9c7ff688f029c31cde0915d032e32f7ee6a7e2b6083747d1c55db5d2004796a35c0de854e6a073baaed333aad5d95e8128

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\dotnet_runtime_6.0.20_win_x64.msi

Filesize
25.8MB

MD5
078ade8de5dc7e407a286ab952031389

SHA1
00811c7dd80e71a7d97fc1ec9f6c56cced81d33e

SHA256
bc6b4599371da2ab6cc19195dbb5d7ec30b4f9b1535bfee8056da9e1855689e7

SHA512
cf5d5330c279b7c9d721db873409e5b0a400bbfaa175dd7db251b8b7a6969249f847739acc5c6df00bc58191d2c6964c31f4dffa1b720715e027188c942ab591

Download Submit
C:\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\windowsdesktop_runtime_6.0.20_win_x64.msi

Filesize
28.4MB

MD5
f8c53e111c603e5895109b0105bb015e

SHA1
5ba1b3ecc1395a7bcd51b122351abb4101e6785b

SHA256
96eaca7ff6f73dd5ff6c6588f023b1ea462bc98893175452c0ec96e265ace9b2

SHA512
66e5b00f1e63cb3c04b166bb466d56598b2047f55eba0d5b049bf01957fa88e23e0fbc3c95a3a3899e57d713f58ec2c7d5e93b9d0ba7563253889eeea5278a50

Download Submit
\Program Files\dotnet\dotnet.exe

Filesize
133KB

MD5
1facd7c47a95753464958a7902c92870

SHA1
d59e6ea4c3986c24d53a02d6f030986cf4d3b49f

SHA256
81923c7106eaaa71a5858d20f4618a741316a58125ce9cc7aa2fde31de43bbe8

SHA512
c99f11e2bf27d990409f8a34941391c66c7715c67c832af0e14fa99dc660228ffab246c0243b56d0d10dc0bb801f7248cf48df12ff9dcc42870d1eb787d469bf

Download Submit
\Program Files\dotnet\dotnet.exe

Filesize
133KB

MD5
1facd7c47a95753464958a7902c92870

SHA1
d59e6ea4c3986c24d53a02d6f030986cf4d3b49f

SHA256
81923c7106eaaa71a5858d20f4618a741316a58125ce9cc7aa2fde31de43bbe8

SHA512
c99f11e2bf27d990409f8a34941391c66c7715c67c832af0e14fa99dc660228ffab246c0243b56d0d10dc0bb801f7248cf48df12ff9dcc42870d1eb787d469bf

Download Submit
\Windows\Installer\MSI2AFE.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI3A21.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI454F.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Installer\MSI5FD7.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
\Windows\Temp\{1BBC6DFC-A104-499A-9551-B3D4EF486643}\.cr\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit
\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
\Windows\Temp\{A566064D-B913-4E09-82E6-2974133FF873}\.be\windowsdesktop-runtime-6.0.20-win-x64.exe

Filesize
610KB

MD5
4f0d17ee48ebf364bab9e4ecc004503c

SHA1
18728133071f8dc3587504b5c6da8ea286c4dfd2

SHA256
99f2a911a6c616555db73fa88bbc7917ee61e3e5b1df8c0e1990552469104849

SHA512
d62dc58299b84fe3bf9a929c7ac112988e8c6876625144590f7345c1c30b531c683d89dd4dd498f7e3334230526df6079a3aeebb8d7339a3368370a749f45cfa

Download Submit