ece6f1cc55af17d8555fd7ebccfdfb17dff2d3817ce348902b593e8d43ec435b

Analysis

max time kernel
63s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-6.0.26-win-x64.exe
Size

54.9MB
MD5

fc7c51112cc29b1cb72d82fab00aba93
SHA1

3e6bf16d6f171b0dcc3c630a1bd9371eeb22aa30
SHA256

ece6f1cc55af17d8555fd7ebccfdfb17dff2d3817ce348902b593e8d43ec435b
SHA512

7dd45e746fb0b82c13b91559ac25a39b66b9c94c22e5f9bd91b1dceaff96922b1da2fed152ec36e15f2c7a38e0180508f81807930928c5d0aea225f117a108c4
SSDEEP

1572864:4z1pd8HD1vXqG7nYaXrNF3wZFvxIlYRKrSR5E/:4z1pdKDZXDLnxAxT2w5E/

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b2476903-b8da-4dcc-903f-378730bb4c48} = "\"C:\\ProgramData\\Package Cache\\{b2476903-b8da-4dcc-903f-378730bb4c48}\\windowsdesktop-runtime-6.0.26-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.26-win-x64.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	windowsdesktop-runtime-6.0.26-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\UIAutomationTypes.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationCore.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Tools.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Collections.Specialized.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\System.Windows.Forms.Design.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Quic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\UIAutomationProvider.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Windows.Presentation.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Runtime.CompilerServices.Unsafe.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ru\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hans\System.Windows.Forms.Design.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.Queryable.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\System.Security.Cryptography.ProtectedData.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\UIAutomationTypes.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\ReachFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Windows.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\UIAutomationClient.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Data.DataSetExtensions.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.Brotli.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Security.Principal.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\msquic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\dbgshim.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\WindowsBase.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Drawing.Design.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ru\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\System.Xaml.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\System.Windows.Forms.Design.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\Microsoft.VisualBasic.Core.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Xml.ReaderWriter.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.Aero2.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.Process.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pl\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.MemoryMappedFiles.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Security.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\System.Windows.Forms.dll	msiexec.exe

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI71FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI937F.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1A02C1B1-05BB-49F7-9DFF-99A66C6877FC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI664D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID5DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\99A1417CB29562244A9E7B761C0DBFFA\48.100.4028\fileCoreHostExe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7806.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D54.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D81A418F-966D-4069-B3E8-5EE4843CA862}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\99A1417CB29562244A9E7B761C0DBFFA\CacheSize.txt	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\455ABE78200A4FE46A21F4DF6090B2B5\48.104.7000\fileCoreHostExe	msiexec.exe
File created	C:\Windows\Installer\e5839c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F85.tmp	msiexec.exe
File created	C:\Windows\Installer\e5839c2.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5839bc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI561C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9F5.tmp	msiexec.exe
File created	C:\Windows\Installer\e5839c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\455ABE78200A4FE46A21F4DF6090B2B5\48.104.7000	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F2A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1F0EB53C-BE30-436A-BC54-FA364227A870}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5839b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI606F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CC7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5839bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6244.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5839c2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID08F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBCA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\99A1417CB29562244A9E7B761C0DBFFA\CacheSize.txt	msiexec.exe
File created	C:\Windows\Installer\e5839cd.msi	msiexec.exe
File created	C:\Windows\Installer\e5839d1.msi	msiexec.exe
File created	C:\Windows\Installer\e5839bd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\455ABE78200A4FE46A21F4DF6090B2B5\48.104.7000\fileCoreHostExe	msiexec.exe
File created	C:\Windows\Installer\e5839b8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{87EBA554-A002-4EF4-A612-4FFD06092B5B}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5839cd.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4420	windowsdesktop-runtime-6.0.26-win-x64.exe
4708	windowsdesktop-runtime-6.0.26-win-x64.exe

Loads dropped DLL 17 IoCs

pid	Process
4420	windowsdesktop-runtime-6.0.26-win-x64.exe
2060	MsiExec.exe
2060	MsiExec.exe
4184	MsiExec.exe
4184	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
1788	MsiExec.exe
1788	MsiExec.exe
3472	windowsdesktop-runtime-6.0.25-win-x64.exe
1000	MsiExec.exe
1000	MsiExec.exe
3720	MsiExec.exe
3720	MsiExec.exe
4784	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.26 (x64)"	windowsdesktop-runtime-6.0.26-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\PackageCode = "1B48B8C82FA2FFF4AB90036842526E80"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.104.7000_x64\Dependents\{b2476903-b8da-4dcc-903f-378730bb4c48}	windowsdesktop-runtime-6.0.26-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.100.4037_x64\Dependents	windowsdesktop-runtime-6.0.25-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.100.4028_x64\Dependents	windowsdesktop-runtime-6.0.25-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE2B4453F26E11D47BC9D3EDCA9ED45A\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\Version = "812129112"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.104.7000_x64	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{87EBA554-A002-4EF4-A612-4FFD06092B5B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\PackageName = "windowsdesktop-runtime-6.0.26-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1F0EB53C-BE30-436A-BC54-FA364227A870}v48.104.6996\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\PackageCode = "8666D9FFC1D439440BA6E12A644A7773"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\99A1417CB29562244A9E7B761C0DBFFA\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9B2F610EEF10AAF488E2CE4CF34A7915\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\ProductName = "Microsoft .NET Runtime - 6.0.26 (x64)"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE2B4453F26E11D47BC9D3EDCA9ED45A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\PackageCode = "7FB81F93764F6B944A7BE9E9C514088C"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x64\DisplayName = "Microsoft .NET Runtime - 6.0.26 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\SourceList\PackageName = "dotnet-runtime-6.0.26-win-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\ProductName = "Microsoft Windows Desktop Runtime - 6.0.26 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AC19E5024C75C4B778E37867AEE4FBE3	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\99A1417CB29562244A9E7B761C0DBFFA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C35BE0F103EBA634CB45AF6324728A07	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\068EC39DA9C5A8C40C0E5724C68A1A01	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\Version = "812129112"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B0FAF1CB9E058826D0E13E46DDF543B1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.104.7000"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x64\ = "{1A02C1B1-05BB-49F7-9DFF-99A66C6877FC}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B1C20A1BB507F94D9FF996AC68677CF\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\99A1417CB29562244A9E7B761C0DBFFA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\ = "{1F0EB53C-BE30-436A-BC54-FA364227A870}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.26 (x64)"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.100.4028_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AC19E5024C75C4B778E37867AEE4FBE3\1B1C20A1BB507F94D9FF996AC68677CF	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F814A18DD66996043B8EE54E48C38A26\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E8DDC62AC9F52E37032336ACF1E09571	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}\ = "{b2476903-b8da-4dcc-903f-378730bb4c48}"	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F814A18DD66996043B8EE54E48C38A26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\DOTNET_CLI_HOSTFXR_48.100.4028_X64\DEPENDENTS\{FB0500C1-F968-4621-A48B-985B52884C49}	windowsdesktop-runtime-6.0.25-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{1A02C1B1-05BB-49F7-9DFF-99A66C6877FC}v48.104.7000\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\99A1417CB29562244A9E7B761C0DBFFA\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\23C310658A152FD72F6C160480453ADC	msiexec.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe
2672	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSecurityPrivilege	2672	msiexec.exe
Token: SeCreateTokenPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeLockMemoryPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeMachineAccountPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeTcbPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSecurityPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeTakeOwnershipPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeLoadDriverPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemProfilePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemtimePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeProfSingleProcessPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncBasePriorityPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeCreatePagefilePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeCreatePermanentPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeBackupPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeRestorePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeShutdownPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeDebugPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeAuditPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemEnvironmentPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeChangeNotifyPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeRemoteShutdownPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeUndockPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSyncAgentPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeEnableDelegationPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeManageVolumePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeImpersonatePrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeCreateGlobalPrivilege	4708	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe
Token: SeRestorePrivilege	2672	msiexec.exe
Token: SeTakeOwnershipPrivilege	2672	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4420	windowsdesktop-runtime-6.0.26-win-x64.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4420	2196	windowsdesktop-runtime-6.0.26-win-x64.exe	88
PID 2196 wrote to memory of 4420	2196	windowsdesktop-runtime-6.0.26-win-x64.exe	88
PID 2196 wrote to memory of 4420	2196	windowsdesktop-runtime-6.0.26-win-x64.exe	88
PID 4420 wrote to memory of 4708	4420	windowsdesktop-runtime-6.0.26-win-x64.exe	94
PID 4420 wrote to memory of 4708	4420	windowsdesktop-runtime-6.0.26-win-x64.exe	94
PID 4420 wrote to memory of 4708	4420	windowsdesktop-runtime-6.0.26-win-x64.exe	94
PID 2672 wrote to memory of 2060	2672	msiexec.exe	100
PID 2672 wrote to memory of 2060	2672	msiexec.exe	100
PID 2672 wrote to memory of 2060	2672	msiexec.exe	100
PID 2672 wrote to memory of 4184	2672	msiexec.exe	101
PID 2672 wrote to memory of 4184	2672	msiexec.exe	101
PID 2672 wrote to memory of 4184	2672	msiexec.exe	101
PID 2672 wrote to memory of 3356	2672	msiexec.exe	103
PID 2672 wrote to memory of 3356	2672	msiexec.exe	103
PID 2672 wrote to memory of 3356	2672	msiexec.exe	103
PID 2672 wrote to memory of 1788	2672	msiexec.exe	104
PID 2672 wrote to memory of 1788	2672	msiexec.exe	104
PID 2672 wrote to memory of 1788	2672	msiexec.exe	104
PID 4708 wrote to memory of 1816	4708	windowsdesktop-runtime-6.0.26-win-x64.exe	105
PID 4708 wrote to memory of 1816	4708	windowsdesktop-runtime-6.0.26-win-x64.exe	105
PID 4708 wrote to memory of 1816	4708	windowsdesktop-runtime-6.0.26-win-x64.exe	105
PID 1816 wrote to memory of 3472	1816	windowsdesktop-runtime-6.0.25-win-x64.exe	106
PID 1816 wrote to memory of 3472	1816	windowsdesktop-runtime-6.0.25-win-x64.exe	106
PID 1816 wrote to memory of 3472	1816	windowsdesktop-runtime-6.0.25-win-x64.exe	106
PID 3472 wrote to memory of 4360	3472	windowsdesktop-runtime-6.0.25-win-x64.exe	107
PID 3472 wrote to memory of 4360	3472	windowsdesktop-runtime-6.0.25-win-x64.exe	107
PID 3472 wrote to memory of 4360	3472	windowsdesktop-runtime-6.0.25-win-x64.exe	107
PID 2672 wrote to memory of 1000	2672	msiexec.exe	108
PID 2672 wrote to memory of 1000	2672	msiexec.exe	108
PID 2672 wrote to memory of 1000	2672	msiexec.exe	108
PID 2672 wrote to memory of 3720	2672	msiexec.exe	109
PID 2672 wrote to memory of 3720	2672	msiexec.exe	109
PID 2672 wrote to memory of 3720	2672	msiexec.exe	109
PID 2672 wrote to memory of 4784	2672	msiexec.exe	110
PID 2672 wrote to memory of 4784	2672	msiexec.exe	110
PID 2672 wrote to memory of 4784	2672	msiexec.exe	110

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\Temp\{1504B98B-DFAD-4222-B32A-69E0F69AA25A}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe
  "C:\Windows\Temp\{1504B98B-DFAD-4222-B32A-69E0F69AA25A}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe" -burn.filehandle.attached=548 -burn.filehandle.self=556
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\.be\windowsdesktop-runtime-6.0.26-win-x64.exe
    "C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\.be\windowsdesktop-runtime-6.0.26-win-x64.exe" -q -burn.elevated BurnPipe.{0B73CED7-0185-4CE6-8CA3-58624097A8F7} {B04EEE17-5A6D-4BA8-9C77-9047194B7376} 4420
    3⤵
    - Adds Run key to start application
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe
      "C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={b2476903-b8da-4dcc-903f-378730bb4c48} -burn.filehandle.self=1132 -burn.embedded BurnPipe.{7F202FB4-EC7E-43F2-BA89-FCEDE89A0BD9} {0B8198FE-A8CF-47B2-8FF5-F9E8D0A86B26} 4708
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe
        
        "C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={b2476903-b8da-4dcc-903f-378730bb4c48} -burn.filehandle.self=1132 -burn.embedded BurnPipe.{7F202FB4-EC7E-43F2-BA89-FCEDE89A0BD9} {0B8198FE-A8CF-47B2-8FF5-F9E8D0A86B26} 4708
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe
        
        "C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe" -q -burn.elevated BurnPipe.{1891A99F-DB08-4203-BC8C-F03AB115D0F3} {E38DC1A3-EB31-4075-9482-F1AC20B072CC} 3472
        6⤵
        Modifies registry class
        
        PID:4360

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E72CEEB19CA132C0A3A067D7BDFA7298
  2⤵
  - Loads dropped DLL
  PID:2060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BA95A6AD12BCF40DF1BA628D28D1087C
  2⤵
  - Loads dropped DLL
  PID:4184
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8B3849D5579F977D61126AEEF4BBE4D1
  2⤵
  - Loads dropped DLL
  PID:3356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8097EA5B835B08631F040AFB7368E457
  2⤵
  - Loads dropped DLL
  PID:1788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 133E776EDFE14227A3C9DE4E51D43F37
  2⤵
  - Loads dropped DLL
  PID:1000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 52DE3626550ADECEA508BDF33B852513
  2⤵
  - Loads dropped DLL
  PID:3720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A537B27E81C331CF40A05430164FCE17
  2⤵
  - Loads dropped DLL
  PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5839bb.rbs

Filesize
56KB

MD5
89a106f475db8a18a50f4491a5b7ed3c

SHA1
6b4f86a2ac93981960c1b28835902547ba18703d

SHA256
60e167d77b314962775789ad7513d6e6c8e637f25099acc7979fb35d92545150

SHA512
22c0176aa862278c82829f6df1db9463d103423b748ee717845a2bb0bdb00c7b7f28a7869caf47479ebf00fab9a5aa6227466ac16ec172d05509f595bae160f0

Download Submit
C:\Config.Msi\e5839c0.rbs

Filesize
9KB

MD5
0a27eb3873e6cc9423a4b3b4d856815e

SHA1
e1dc41d0536a43a1c54c2634d1f3dfa40751b60b

SHA256
c6d48beb146db3c4d04865d2dabfcb0b20a9e6921d51dc77097c9b282576d682

SHA512
9ed745677663d2b75e5a6d662f969d8270a4cf00969eb3cc867ed0087ea0c0219fbeea167828458545666f03123937b61933703fbb699d91bfa7f659a89f2192

Download Submit
C:\Config.Msi\e5839c5.rbs

Filesize
11KB

MD5
488f51ad3771ee459a7df5d427d6ce8b

SHA1
49edfbc8e4fe3aa6166f3c2c1dd7a45028b8b9a8

SHA256
159595beff2cd894aae153bb3186bc283d5cf809ae710ebd2f62d3b27a3fbe21

SHA512
c06df3ade861fa0f023430c6153e67732c6f3a6dd3331f9f707c541bdbf8e76294ce458277c004411e502b7ac197952b21d7ddb51e36915c48b75651fb2228d2

Download Submit
C:\Config.Msi\e5839ca.rbs

Filesize
8KB

MD5
008bc1b44f549b4634830d7b41bb16cf

SHA1
1042a110c91e3a88d72d6d2d3ae1cce83f1c9012

SHA256
05560bb1a720f7830767b39d1f80b6a736c7027b73b92b1d511a28dac6b3687d

SHA512
6c49b3614767f082386ea104be72885578ec5c9528ee4887f2b137da3c821719fed0bc2f468308c4a18c9b9a90afb79429649821fcc281a6b623783171d30bab

Download Submit
C:\Config.Msi\e5839cc.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e5839d0.rbs

Filesize
87KB

MD5
7d3f42d3a6d791c3c3959d848fe45d43

SHA1
c511faa1a576f6be01929ee66c8bd5f8cc24252f

SHA256
7418d5f1b4e580e329a3d2b72e34a943d2bad4f165e58f96d4ceb4720c2683bd

SHA512
d2272aff5259ae47b83c0b2821ec63a59799bd036ac2e0770e91bac39e10d6cb9b8ea99a929b39acbbcd3c250afd0885193bcd4b4e75b3ea6eaf248e74af4d47

Download Submit
C:\Config.Msi\e5839d4.rbs

Filesize
132KB

MD5
9a7662b2f1dc9ad0671246b8968f1856

SHA1
62c37a11d86e22975bd5de8331eced3ed4aeacd1

SHA256
2f68bae966fc56c9501caee54ebc8480a808104a1e8c45d1b1a02d5a55d25c68

SHA512
4d2e04fc09398ab8bd26857a75539e015c91a062b226fc0aa16f19d7c542c9b76afb2611949069a2df3dfd90b3c6580588e383dabdea8abdb48761987b30e6a8

Download Submit
C:\Config.Msi\e583af1.rbs

Filesize
8KB

MD5
db7cd8ed3d13b4a995c5849dc1230429

SHA1
c76ab8e72c91e2570c764df15975dec87c410dbe

SHA256
ad0125fa743ad63c013ac5682504896a1809fce55d7cde1542f29efd315e37be

SHA512
bd2d17200eaa808fe5649443ff043b833ed36ff516f07d600220e960baf1db1a21f871c0af339fb593fbd87c63cce2934673b250391a9b554ed9020eed987ae7

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
78KB

MD5
f77a4aecfaf4640d801eb6dcdfddc478

SHA1
7424710f255f6205ef559e4d7e281a3b701183bb

SHA256
d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

SHA512
1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240114174234_000_windowsdesktop_runtime_6.0.25_win_x64.msi.log

Filesize
1KB

MD5
4535fba645f534f8d55d0dcd6dd0246e

SHA1
2b957bd52175a9d4c1b71f218d83b11763df113f

SHA256
6b7867b62aa8b339c0e7fb94e89306d1cb095f208285d9e33856bd4d52b53ed7

SHA512
fd92dddf171689eb198918f7460976eb194fd9b2930a33d30692f385ae0df01865ba072071946f95f4be0bb3988e338fd470c4b2dd0ed6d6ee3d7eb2164bac91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240114174234_001_dotnet_hostfxr_6.0.25_win_x64.msi.log

Filesize
1KB

MD5
1c6886aa5e92846bc0df4dc0003e49b4

SHA1
51a6fdd16513b1ed19659533299fab09aa99a2b5

SHA256
3ee44c839d910384e0e8e1a24483e258aa14e8840d859180f20207b93112a9d1

SHA512
75ae412de2e7c0002bead474b68927d0433deffc7d987c250053b437baa26fd26453851dd48c6b5e5d35d22906f20de3408f58db90d4a86f182083838709c4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240114174234_002_dotnet_runtime_6.0.25_win_x64.msi.log

Filesize
1KB

MD5
052fe6c8674684621325e4de75165bf5

SHA1
2d8efccfd8e39dc1e99b24c3dd09c5d8e0a6487b

SHA256
a2c137888ced571a208d29f50c19973f43869308256e9b2fca1ebc9ca012a3a3

SHA512
2c7a1686a6e565307605a0ed43aa07310a7f9c8328225cefc88c966f07df50fcfc58153cfab0cda02305f6a156be6546e0eb5533cadf3ac1b796fca937c9cb77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240114174156_000_dotnet_runtime_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
f68598de49296b7bfd1644568e72a336

SHA1
009115df09b34f6da0c32fef25d5fed8b09f62d5

SHA256
eef69feb088cf3ac5dc6cc2921e49d0442f49aa4079b57c9c645b8b580fdcba3

SHA512
64029395fd445225ebfffe80edda530fb7827bd3484c9b5dfc080c7ad72a9a392dff315c33b88134b153b3a65d5b08d73d2f440cb7e4ed33a2e21ad291d1d0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240114174156_001_dotnet_hostfxr_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
56c61db2822622675cae69b84c604270

SHA1
7103e5611b680ec96f47859bcbaa5f89482ec3cd

SHA256
81dbb834d55e07393470a87c4cc2f99c43adb5fcc1a1554cedcb1cca9a9f1c39

SHA512
95256444cb3280f91191f52e82ca3c7ed39dc2c89af2499058e14fa09fb9db3e0e93d9d0ddbbffbdd2a7433dd6ee16a9d8c3f1469fbc79eb7ea6152f43d898ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240114174156_002_dotnet_host_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
ca89a59173d82d2ff9c9da48041df09b

SHA1
1b01a59b637391b7d97a83712dd6cc61dfd793c1

SHA256
521d3e6cea157019ec35360f8ccbac989b0a4ea9ae1b4e0373b77c9199dbdf39

SHA512
44938d2eacb4085b2f3910215f73e453b2d7aac0c135aefd643fb476bba982c76fba1cd900bc260a09e93792f398d5a6f7e8b6453e8a5c81eb3381e8a8807bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240114174156_003_windowsdesktop_runtime_6.0.26_win_x64.msi.log

Filesize
3KB

MD5
3bab06e69cb3324e602528764d08bbeb

SHA1
9f17c1df9b6256f8f5235feb94b0035089339ce8

SHA256
858ad95f7b3efe8bba9f816735d08869731f0e84fe9a849075518e53f58d437f

SHA512
2d1e06a3be554d60190ddde4f99f79a9e29fd1550d3c8af0261e78a35559cb41d1698e154d29c74be01e986417937fd829c6fee7dbdd0b895aaa608079c61cb6

Download Submit
C:\Windows\Installer\MSI3F85.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\e5839bc.msi

Filesize
25.7MB

MD5
9ea1b86b11ced48d3b9ed4b1875fffd3

SHA1
bb9be48b64b4313add44ea95d53a0acd362bb8ee

SHA256
c5a8ead78b435aa197ac29e0581378c6de27f7ae4c1b14d539873958bbc570ec

SHA512
209e585d2a224d703b312d626021be2ae70ad01ab760114620ec90a05291193127e1138afe9f3d0961e8eabb31e0e38033979ea4ee3eea4e240567a23b13d0d5

Download Submit
C:\Windows\Installer\e5839d1.msi

Filesize
28.7MB

MD5
4ef28afd40eab4eeab3149e44351920d

SHA1
b38bd7d0a51f91f9aba5926c957034ea085a702c

SHA256
01d5cac49827975425150a9e0a72ec9a8e4fbbe31ccfe05dd1f7204127908ac9

SHA512
dd9b38de3664245558d2a5e22c94534a05c5c7624af778de1e88a808b65e537f2309534ba483b4f980ff63522e91b0a4971d0bbf55b5ba8fdfe22ae02d76528e

Download Submit
C:\Windows\Temp\{1504B98B-DFAD-4222-B32A-69E0F69AA25A}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe

Filesize
610KB

MD5
5bbbb2ba4b75d5e5a9d7652c8751d381

SHA1
738739ded497bbccd5fb2d591cf44da8da875cb9

SHA256
7bb5639fcf35a5c8bac2867fbe6670aa3511367a06e8b094cff7aa13debd4d2f

SHA512
119c69e611ca329439c08695420062fcb8dde03f05c9bc0438da924ca38f99eee9530a0a8ab9cafe760e76ef1654077d019ef9aa13adbc4cf2df60c537b1f4e1

Download Submit
C:\Windows\Temp\{6F6D20CD-BCFF-4CCB-9531-3631A61FDF3C}\.ba\1033\thm.wxl

Filesize
5KB

MD5
d5070cb3387a0a22b7046ae5ab53f371

SHA1
bc9da146a42bbf9496de059ac576869004702a97

SHA256
81a68046b06e09385be8449373e7ceb9e79f7724c3cf11f0b18a4489a8d4926a

SHA512
8fcf621fb9ce74725c3712e06e5b37b619145078491e828c6069e153359de3bd5486663b1fa6f3bcf1c994d5c556b9964ea1a1355100a634a6c700ef37d381e3

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\dotnet_host_6.0.26_win_x64.msi

Filesize
736KB

MD5
2975110113299f19f0d32be131b7b2f4

SHA1
ce6d9b72878e510b38cc5d0064fda7eb08d93d90

SHA256
d09987771e1a930bfa35c0db1e0ac70c76a7eb8e59247437ea326ee29002c4d0

SHA512
b6de60e3fc5332704a6d7b8c17357aeb5bdf3028895cbcfb4bd66d10fbc47ad70d5eff9e533ee6275baee461f9bddc6c0ada4f76e84e5366d48353d7de314506

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\dotnet_hostfxr_6.0.26_win_x64.msi

Filesize
804KB

MD5
51ada9b6c77551b7a3ea5832acc92aa2

SHA1
b25835b87d89e2a49dd9ff44d6809c6d50abad19

SHA256
7de32d48fc2f2c65eccff56f0150f800ea3df87c2bd6f42d703d74e1c5fb0aaa

SHA512
5ea9b87735d0450b5493c8683214f6054d5fb8e77ed7a82d75bea39bdee59b3bb5a67512131b7db5e9c78cbabc8ff1b1d2fe6d0971b7b36a85fd8b4ade88c53f

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\dotnet_runtime_6.0.26_win_x64.msi

Filesize
9.1MB

MD5
8c901925ef13021a2986fb301338fe9e

SHA1
605d24686cf1bf23374ded1db708ecc575abfd0b

SHA256
f83fe8b42d5cdd5a4184f60cc2d5a4bb8ca405d41de27bec2c663dd3dab500f8

SHA512
4d5a9f0f512489056b421bd4006f1cefabf01b0a48fdfe5fc396201b860b2e39d21365c6dc4c3e09e107c351a68801ec8675c854a43debfc29e645e4b83a09b3

Download Submit
C:\Windows\Temp\{778A5F3F-E70E-4F81-A006-BB6250E14EA0}\windowsdesktop_runtime_6.0.26_win_x64.msi

Filesize
7.5MB

MD5
2508d4db28230b9d4f3f6c3ab3f88ba9

SHA1
fe20e78923f09e8c0f7a6b6dfcd92a6ab276241c

SHA256
c025c5f55ccbbef8bb0583e03bab746fb76133122b5261ea32934c6292a2e328

SHA512
4e5318706f320cd814e8c35500f0b2d103567fc35de336dc7c4b424a1921fab8fef92e6afb37019724b274624836f3124eda14ddb5241e6184c56e6166a52d62

Download Submit