74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

Analysis

max time kernel
74s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2023, 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaInstaller.exe
Size

152.1MB
MD5

6196a6ac54713dc0d11c7ebab96bc6d0
SHA1

594c07c73f5844f74dc80b79f9d29ae0c9591f3f
SHA256

74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175
SHA512

613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7
SSDEEP

786432:65Nre6UmdCvF4N3RtI9n1gqBf8ICtZNXDPWsUwZnb5xFTtLwSTRpf4P1wT1vdvmu:A5UmamUyqtSyctjdegUc

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-6.0.15-win-x64.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation	vc_redist.x64.exe

Executes dropped EXE 6 IoCs

pid	Process
1904	windowsdesktop-runtime-6.0.15-win-x64.exe
4220	windowsdesktop-runtime-6.0.15-win-x64.exe
2800	windowsdesktop-runtime-6.0.21-win-x64.exe
904	vc_redist.x64.exe
4476	vc_redist.x64.exe
3588	VC_redist.x64.exe

Loads dropped DLL 5 IoCs

pid	Process
1384	NovaInstaller.exe
1384	NovaInstaller.exe
1384	NovaInstaller.exe
4220	windowsdesktop-runtime-6.0.15-win-x64.exe
4476	vc_redist.x64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0f39db03-9030-48f3-82ef-5384bed81d85} = "\"C:\\ProgramData\\Package Cache\\{0f39db03-9030-48f3-82ef-5384bed81d85}\\windowsdesktop-runtime-6.0.21-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.21-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 6.0.21 (x64).swidtag	windowsdesktop-runtime-6.0.21-win-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3088	4220	WerFault.exe	97
5380	4476	WerFault.exe	103

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce060165ac6eec080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce0601650000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce060165000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce060165000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce06016500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents\{8bdfe669-9705-4184-9368-db9ce581e0e7}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}	windowsdesktop-runtime-6.0.21-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.21 (x64)"	windowsdesktop-runtime-6.0.21-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents\{0f39db03-9030-48f3-82ef-5384bed81d85}	windowsdesktop-runtime-6.0.21-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Dependents	windowsdesktop-runtime-6.0.21-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\ = "{0f39db03-9030-48f3-82ef-5384bed81d85}"	windowsdesktop-runtime-6.0.21-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0f39db03-9030-48f3-82ef-5384bed81d85}\Version = "6.0.21.32717"	windowsdesktop-runtime-6.0.21-win-x64.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1384	NovaInstaller.exe
Token: SeBackupPrivilege	3940	vssvc.exe
Token: SeRestorePrivilege	3940	vssvc.exe
Token: SeAuditPrivilege	3940	vssvc.exe
Token: SeBackupPrivilege	5272	srtasks.exe
Token: SeRestorePrivilege	5272	srtasks.exe
Token: SeSecurityPrivilege	5272	srtasks.exe
Token: SeTakeOwnershipPrivilege	5272	srtasks.exe
Token: SeBackupPrivilege	5272	srtasks.exe
Token: SeRestorePrivilege	5272	srtasks.exe
Token: SeSecurityPrivilege	5272	srtasks.exe
Token: SeTakeOwnershipPrivilege	5272	srtasks.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 1904	1384	NovaInstaller.exe	96
PID 1384 wrote to memory of 1904	1384	NovaInstaller.exe	96
PID 1384 wrote to memory of 1904	1384	NovaInstaller.exe	96
PID 1904 wrote to memory of 4220	1904	windowsdesktop-runtime-6.0.15-win-x64.exe	97
PID 1904 wrote to memory of 4220	1904	windowsdesktop-runtime-6.0.15-win-x64.exe	97
PID 1904 wrote to memory of 4220	1904	windowsdesktop-runtime-6.0.15-win-x64.exe	97
PID 4220 wrote to memory of 2800	4220	windowsdesktop-runtime-6.0.15-win-x64.exe	98
PID 4220 wrote to memory of 2800	4220	windowsdesktop-runtime-6.0.15-win-x64.exe	98
PID 4220 wrote to memory of 2800	4220	windowsdesktop-runtime-6.0.15-win-x64.exe	98
PID 1384 wrote to memory of 904	1384	NovaInstaller.exe	102
PID 1384 wrote to memory of 904	1384	NovaInstaller.exe	102
PID 1384 wrote to memory of 904	1384	NovaInstaller.exe	102
PID 904 wrote to memory of 4476	904	vc_redist.x64.exe	103
PID 904 wrote to memory of 4476	904	vc_redist.x64.exe	103
PID 904 wrote to memory of 4476	904	vc_redist.x64.exe	103
PID 4476 wrote to memory of 3588	4476	vc_redist.x64.exe	105
PID 4476 wrote to memory of 3588	4476	vc_redist.x64.exe	105
PID 4476 wrote to memory of 3588	4476	vc_redist.x64.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
  "windowsdesktop-runtime-6.0.15-win-x64.exe" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\Temp\{B24B4591-0E2B-4212-BC83-97256CE5E8E9}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
    "C:\Windows\Temp\{B24B4591-0E2B-4212-BC83-97256CE5E8E9}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.filehandle.attached=696 -burn.filehandle.self=700 /S
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe
      "C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe" -q -burn.elevated BurnPipe.{61139AD6-B46C-4E03-BAC5-A7F4B5FB3674} {67B40588-204F-4664-BE2F-021D62E42442} 4220
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      PID:2800
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 1192
      4⤵
      Program crash
      PID:3088
- C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
  "vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\Temp\{2E0765D2-532C-46AC-A2A2-4252BA0F8800}\.cr\vc_redist.x64.exe
    "C:\Windows\Temp\{2E0765D2-532C-46AC-A2A2-4252BA0F8800}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /install /quiet /norestart
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{359BF8D3-4D7D-428B-9419-2F2E4CC0FCEB} {AAD069AE-6A21-4E5A-B006-516246B9638E} 4476
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      PID:3588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1364
      4⤵
      Program crash
      PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4220 -ip 4220
1⤵
PID:1324

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4476 -ip 4476
1⤵
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Package Cache\{0f39db03-9030-48f3-82ef-5384bed81d85}\state.rsm

Filesize
964B

MD5
1e627e8139a123134125371da147c042

SHA1
25158b039c5a671ef7c17360460f08297278adde

SHA256
7eaabf2e3d43c49da6d197cdeea33a1d6192243e6cca10e8a35c4df3d369d6e9

SHA512
253e3ed5eb84dd3cb02a88fe1df6dc2282cb8c9fe0f67eb926596f9a0b0c74058b917aeabaf047e6f51c2416e7b283e257f84ec581dabc7158551b600f224e70

Download Submit
C:\ProgramData\Package Cache\{0f39db03-9030-48f3-82ef-5384bed81d85}\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
2191e768cc2e19009dad20dc999135a3

SHA1
f49a46ba0e954e657aaed1c9019a53d194272b6a

SHA256
7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

SHA512
5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
c7bcc68b81e965fe74ef58d503c58deb

SHA1
99990f204f7318eeb8de6f9664ebcd0d42ea81b7

SHA256
06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e

SHA512
cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
1b01746fe61beb761a643050823190b0

SHA1
927b12e4a733bcc51545c6a005838a24b8dc4dda

SHA256
f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8

SHA512
83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

Filesize
24.2MB

MD5
077f0abdc2a3881d5c6c774af821f787

SHA1
c483f66c48ba83e99c764d957729789317b09c6b

SHA256
917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

SHA512
70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

Download Submit
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

Filesize
24.2MB

MD5
077f0abdc2a3881d5c6c774af821f787

SHA1
c483f66c48ba83e99c764d957729789317b09c6b

SHA256
917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888

SHA512
70a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

Filesize
54.7MB

MD5
1a6d60add2d112dd73e83fb46dca474d

SHA1
8b374a54f508cfdb8c8176bfaef96f37edf7170b

SHA256
aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545

SHA512
49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

Filesize
54.7MB

MD5
1a6d60add2d112dd73e83fb46dca474d

SHA1
8b374a54f508cfdb8c8176bfaef96f37edf7170b

SHA256
aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545

SHA512
49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

Download Submit
C:\Windows\Temp\{2E0765D2-532C-46AC-A2A2-4252BA0F8800}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{2E0765D2-532C-46AC-A2A2-4252BA0F8800}\.cr\vc_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{32E73A30-F13D-4616-80DA-148762199494}\.be\VC_redist.x64.exe

Filesize
635KB

MD5
35e545dac78234e4040a99cbb53000ac

SHA1
ae674cc167601bd94e12d7ae190156e2c8913dc5

SHA256
9a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6

SHA512
bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3

Download Submit
C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{8A1E676C-AEEA-4D02-80EF-D0489D74400D}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{B24B4591-0E2B-4212-BC83-97256CE5E8E9}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
C:\Windows\Temp\{B24B4591-0E2B-4212-BC83-97256CE5E8E9}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

Filesize
610KB

MD5
ff67a2a55ed6998ab527273d547fc00f

SHA1
852712b95ca05de8f336f07ff9ac672281b91215

SHA256
71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

SHA512
48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

Download Submit
memory/1384-36-0x00000245A4260000-0x00000245A4273000-memory.dmp

Filesize
76KB

Download
memory/1384-39-0x00000245A2920000-0x00000245A2927000-memory.dmp

Filesize
28KB

Download
memory/1384-69-0x00000245C49E0000-0x00000245C4A0A000-memory.dmp

Filesize
168KB

Download
memory/1384-183-0x00007FF7A9AA0000-0x00007FF7AA3CD000-memory.dmp

Filesize
9.2MB

Download
memory/1384-66-0x00000245C4A20000-0x00000245C4A67000-memory.dmp

Filesize
284KB

Download
memory/1384-63-0x00000245A4290000-0x00000245A4298000-memory.dmp

Filesize
32KB

Download
memory/1384-60-0x00000245C4F60000-0x00000245C5054000-memory.dmp

Filesize
976KB

Download
memory/1384-54-0x00000245C4930000-0x00000245C4942000-memory.dmp

Filesize
72KB

Download
memory/1384-51-0x00000245C4910000-0x00000245C4928000-memory.dmp

Filesize
96KB

Download
memory/1384-48-0x00000245C4960000-0x00000245C49A0000-memory.dmp

Filesize
256KB

Download
memory/1384-45-0x00000245A42A0000-0x00000245A42B6000-memory.dmp

Filesize
88KB

Download
memory/1384-72-0x00000245C9230000-0x00000245C9A4C000-memory.dmp

Filesize
8.1MB

Download
memory/1384-42-0x00000245A4240000-0x00000245A4259000-memory.dmp

Filesize
100KB

Download
memory/1384-5-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/1384-33-0x00000245A28D0000-0x00000245A28D5000-memory.dmp

Filesize
20KB

Download
memory/1384-30-0x00000245A28C0000-0x00000245A28CD000-memory.dmp

Filesize
52KB

Download
memory/1384-27-0x00000245C4890000-0x00000245C490F000-memory.dmp

Filesize
508KB

Download
memory/1384-24-0x00000245C67B0000-0x00000245C6FF2000-memory.dmp

Filesize
8.3MB

Download
memory/1384-21-0x00000245A28E0000-0x00000245A291E000-memory.dmp

Filesize
248KB

Download
memory/1384-18-0x00000245A41F0000-0x00000245A4234000-memory.dmp

Filesize
272KB

Download
memory/1384-15-0x00000245C4D00000-0x00000245C4E5E000-memory.dmp

Filesize
1.4MB

Download
memory/1384-12-0x00000245C4AD0000-0x00000245C4CF8000-memory.dmp

Filesize
2.2MB

Download
memory/1384-8-0x00000245C5820000-0x00000245C67A8000-memory.dmp

Filesize
15.5MB

Download
memory/1384-9-0x00007FF7A9AA0000-0x00007FF7AA3CD000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads