ece6f1cc55af17d8555fd7ebccfdfb17dff2d3817ce348902b593e8d43ec435b

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/02/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsdesktop-runtime-6.0.26-win-x64.exe
Size

54.9MB
MD5

fc7c51112cc29b1cb72d82fab00aba93
SHA1

3e6bf16d6f171b0dcc3c630a1bd9371eeb22aa30
SHA256

ece6f1cc55af17d8555fd7ebccfdfb17dff2d3817ce348902b593e8d43ec435b
SHA512

7dd45e746fb0b82c13b91559ac25a39b66b9c94c22e5f9bd91b1dceaff96922b1da2fed152ec36e15f2c7a38e0180508f81807930928c5d0aea225f117a108c4
SSDEEP

1572864:4z1pd8HD1vXqG7nYaXrNF3wZFvxIlYRKrSR5E/:4z1pdKDZXDLnxAxT2w5E/

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{b2476903-b8da-4dcc-903f-378730bb4c48} = "\"C:\\ProgramData\\Package Cache\\{b2476903-b8da-4dcc-903f-378730bb4c48}\\windowsdesktop-runtime-6.0.26-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-6.0.26-win-x64.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	2068	msiexec.exe
28	2068	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\mscordbi.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Reflection.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pt-BR\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Diagnostics.StackTrace.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Security.Cryptography.Csp.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Linq.Queryable.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Threading.Thread.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Text.Encoding.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\WindowsBase.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\Microsoft.DiaSymReader.Native.amd64.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.AppContext.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ru\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework-SystemData.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pt-BR\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\hostpolicy.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Net.Requests.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Collections.Concurrent.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Collections.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Security.Cryptography.X509Certificates.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationCore.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Diagnostics.TraceSource.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.IO.Compression.Brotli.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\fr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pl\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\es\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\de\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pl\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hant\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\Microsoft.Win32.SystemEvents.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\System.Windows.Forms.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Private.Uri.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.ComponentModel.EventBasedAsync.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\fr\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework-SystemDrawing.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Reflection.Emit.ILGeneration.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\WindowsFormsIntegration.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ru\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.Buffers.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.ComponentModel.DataAnnotations.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework.Classic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\ko\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\cs\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\UIAutomationClient.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\it\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\PresentationFramework-SystemXml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\zh-Hans\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.ComponentModel.TypeConverter.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\mscordaccore.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.26\System.IO.Pipes.AccessControl.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.26\pt-BR\System.Windows.Forms.resources.dll	msiexec.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDF5F.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b87b.msi	msiexec.exe
File created	C:\Windows\Installer\f77b87f.ipi	msiexec.exe
File created	C:\Windows\Installer\f77b887.msi	msiexec.exe
File created	C:\Windows\Installer\f77b88b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID364.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b882.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBB1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b87c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b882.msi	msiexec.exe
File created	C:\Windows\Installer\f77b88d.msi	msiexec.exe
File created	C:\Windows\Installer\f77b879.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b885.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b88b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID912.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9FF.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	windowsdesktop-runtime-6.0.26-win-x64.exe
File created	C:\Windows\Installer\f77b876.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b879.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8A4.tmp	msiexec.exe
File created	C:\Windows\Installer\f77b885.ipi	msiexec.exe
File created	C:\Windows\Installer\f77b888.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b888.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b876.msi	msiexec.exe
File created	C:\Windows\Installer\f77b87c.msi	msiexec.exe
File created	C:\Windows\Installer\f77b881.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77b87f.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	windowsdesktop-runtime-6.0.26-win-x64.exe
2660	windowsdesktop-runtime-6.0.26-win-x64.exe

Loads dropped DLL 9 IoCs

pid	Process
2056	windowsdesktop-runtime-6.0.26-win-x64.exe
2312	windowsdesktop-runtime-6.0.26-win-x64.exe
2312	windowsdesktop-runtime-6.0.26-win-x64.exe
1160	MsiExec.exe
1088	MsiExec.exe
2068	msiexec.exe
2068	msiexec.exe
3064	MsiExec.exe
1752	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\PackageCode = "33C2E225313901A4F9A53F451AD1FDCD"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B0FAF1CB9E058826D0E13E46DDF543B1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E8DDC62AC9F52E37032336ACF1E09571	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\Dependents\{b2476903-b8da-4dcc-903f-378730bb4c48}	windowsdesktop-runtime-6.0.26-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\Version = "812129112"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\ = "{1F0EB53C-BE30-436A-BC54-FA364227A870}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}\ = "{b2476903-b8da-4dcc-903f-378730bb4c48}"	windowsdesktop-runtime-6.0.26-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\SourceList\PackageName = "dotnet-host-6.0.26-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.26 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\455ABE78200A4FE46A21F4DF6090B2B5	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}\Version = "6.0.26.33205"	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x64\ = "{1A02C1B1-05BB-49F7-9DFF-99A66C6877FC}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\PackageName = "windowsdesktop-runtime-6.0.26-win-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F814A18DD66996043B8EE54E48C38A26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\PackageCode = "7FB81F93764F6B944A7BE9E9C514088C"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{b2476903-b8da-4dcc-903f-378730bb4c48}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.26 (x64)"	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{87EBA554-A002-4EF4-A612-4FFD06092B5B}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64	windowsdesktop-runtime-6.0.26-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\Dependents	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\ProductName = "Microsoft .NET Runtime - 6.0.26 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\PackageCode = "8666D9FFC1D439440BA6E12A644A7773"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F814A18DD66996043B8EE54E48C38A26\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\E8DDC62AC9F52E37032336ACF1E09571\C35BE0F103EBA634CB45AF6324728A07	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B1C20A1BB507F94D9FF996AC68677CF\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.104.7000_x64	windowsdesktop-runtime-6.0.26-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\SourceList\PackageName = "dotnet-hostfxr-6.0.26-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C35BE0F103EBA634CB45AF6324728A07\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\ProductName = "Microsoft .NET Host FX Resolver - 6.0.26 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B0FAF1CB9E058826D0E13E46DDF543B1\F814A18DD66996043B8EE54E48C38A26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.104.6996_x64\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.26 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\Version = "812129108"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C35BE0F103EBA634CB45AF6324728A07\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AC19E5024C75C4B778E37867AEE4FBE3\1B1C20A1BB507F94D9FF996AC68677CF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F814A18DD66996043B8EE54E48C38A26	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\455ABE78200A4FE46A21F4DF6090B2B5\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C35BE0F103EBA634CB45AF6324728A07	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B1C20A1BB507F94D9FF996AC68677CF\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\455ABE78200A4FE46A21F4DF6090B2B5\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F814A18DD66996043B8EE54E48C38A26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.104.7000"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe
2068	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeRestorePrivilege	2068	msiexec.exe
Token: SeTakeOwnershipPrivilege	2068	msiexec.exe
Token: SeSecurityPrivilege	2068	msiexec.exe
Token: SeCreateTokenPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeLockMemoryPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncreaseQuotaPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeMachineAccountPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeTcbPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSecurityPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeTakeOwnershipPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeLoadDriverPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemProfilePrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemtimePrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeProfSingleProcessPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeIncBasePriorityPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeCreatePagefilePrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeCreatePermanentPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeBackupPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeRestorePrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeShutdownPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeDebugPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeAuditPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe
Token: SeSystemEnvironmentPrivilege	2660	windowsdesktop-runtime-6.0.26-win-x64.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2312	windowsdesktop-runtime-6.0.26-win-x64.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2056 wrote to memory of 2312	2056	windowsdesktop-runtime-6.0.26-win-x64.exe	28
PID 2932 wrote to memory of 3008	2932	chrome.exe	32
PID 2932 wrote to memory of 3008	2932	chrome.exe	32
PID 2932 wrote to memory of 3008	2932	chrome.exe	32
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 2992	2932	chrome.exe	34
PID 2932 wrote to memory of 1292	2932	chrome.exe	35
PID 2932 wrote to memory of 1292	2932	chrome.exe	35
PID 2932 wrote to memory of 1292	2932	chrome.exe	35
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36
PID 2932 wrote to memory of 3064	2932	chrome.exe	36

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe
"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\Temp\{62B97FD8-3841-4E8C-91C4-472B34DD6941}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe
  "C:\Windows\Temp\{62B97FD8-3841-4E8C-91C4-472B34DD6941}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.26-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2312
- - C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\.be\windowsdesktop-runtime-6.0.26-win-x64.exe
    "C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\.be\windowsdesktop-runtime-6.0.26-win-x64.exe" -q -burn.elevated BurnPipe.{9BE8402E-64F3-4DE9-B9AA-0022AE04F0BB} {EAD91ED9-DB88-46BD-A8A3-0EA42A2BE433} 2312
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c29758,0x7fef5c29768,0x7fef5c29778
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:2
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2324 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1440 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3600 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3480 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3808 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3584 --field-trial-handle=1104,i,14177660261377174223,17124117699791023445,131072 /prefetch:1
  2⤵
  PID:2704

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2164

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5646A542D9FC248C97D0B7E93C72F3C1
  2⤵
  - Loads dropped DLL
  PID:1160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7127DCDF388E5C24F1DC89A7DD1BD9AA
  2⤵
  - Loads dropped DLL
  PID:1088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 574B862253AEB26474B2BB4399278131
  2⤵
  - Loads dropped DLL
  PID:3064
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E90F9FBC0E8151345F7AD4B6DE635A4D
  2⤵
  - Loads dropped DLL
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77b87a.rbs

Filesize
55KB

MD5
8f44ca1ec49e611e18f42383202d7dbe

SHA1
1ba30ca9d8d556e5cf877c8ffcbd8446ff1dbaa8

SHA256
3bcd0b6d89d57ed336b6ea4e0a63201f9e0b569b5392d90680d1a0e4b395f251

SHA512
421ec36bede5d716eaf490adeda713ff1b7888a3d8abd0ae00a21d327842220de47778c069805ab4406a8a4fd0f8b032694095c71046a376384937d8f1cf664d

Download Submit
C:\Config.Msi\f77b880.rbs

Filesize
8KB

MD5
3f4db5af9621712bdeb95d156707e743

SHA1
3b98f03b6ba425dcf012236b85d835f24f358323

SHA256
6c29338fc3d3383fcbb97a0afd587626a1939ee8c304351adc4e75c9ba3a6bf6

SHA512
57a85f4e75f63a3c15956675a4a78d12fce7f29c6b58bfe588a9dc644cc04022fc0bd022d916bc2200b6152a6dc738b479659c2501940fc29125ee4c6b3fb71b

Download Submit
C:\Config.Msi\f77b886.rbs

Filesize
9KB

MD5
7528246d356ce8bc799614f1e8676c52

SHA1
cd17e5fb74b919508d02d9a7047a2ecebe4657ff

SHA256
86032379c0cff9c98f47862676df8ae664a9916fc043254eac4e5fd4aa1d9994

SHA512
6de94e1f26cbe5abd6769824cbb3dfa5ed5e5c37cf666a0b7fae230700645f122c8c732e2bce7f24a702369fbbe784ecd8eb09a6ab26de81aadd70b94bdad223

Download Submit
C:\Config.Msi\f77b88c.rbs

Filesize
87KB

MD5
e7786e348ed49d4c45274225d6d3a630

SHA1
5611c8e8bbc00bf9f003fddaa984403693d8e3ed

SHA256
d5650de9a794d113a4aae45533fd08ca889c5612880352f39c73da400cf277e5

SHA512
e4ba055d73a0e927186ab61dbbaf88411c7b94e4eb139cded49db5ee1a81dde929f2dac08883e5f6884ccc9cf64ab1b0fc6c30b6bef4579248b5b9b2e06dcb43

Download Submit
C:\Program Files\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
78KB

MD5
f77a4aecfaf4640d801eb6dcdfddc478

SHA1
7424710f255f6205ef559e4d7e281a3b701183bb

SHA256
d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

SHA512
1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d0918ffb8f6e2b72b63444dfc6f4adc1

SHA1
6a1527da62d7da03870e2d712a31fa5296941e64

SHA256
3e17b34269ee6b839572da6b2a143d3d26c4fa022859d41adb540850ca511b32

SHA512
ed585556cdf5df5ff1ea3138321f5ee206b32c7eabfaa92e5f14e033ea74dd18ef4b5eb9311bedb1d37ff3d027c9e46f605e869ce34249fce530ba5d555a4b1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b074196698aa02b6c57bdd07a1a7a1e6

SHA1
b6bb9e7f620d38de80923d18f7c09974c3bbb4c1

SHA256
15487428c41c8fbc25a6b618b0d235faccc78ad6c0365f216ee0edf92aff47ee

SHA512
8e53814538cae2fde0b58a999810039b9274b5d50617c9a90057f1ef946205e14f5955a092e327cdab9a93840146d00560f2217fd2d2fbb6554309b88588213a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f7cbda6a59c619d12b4248ded352d11

SHA1
c2e0db852c229ffde6c8a98ec7ba634e84c43c74

SHA256
57859807b3d66a4cfa186b171e2f2b41d8591645eda95c51422b4ff3fd716b3d

SHA512
e6728ca2bc115aefa83edc835d1adbe07dafd6216de2976590b44a5019919da44a608c2c63a78e36ee0939f646a2813604bec75afe76be53f696b070ad177e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fb0b98222adc868f1e29779308d27511

SHA1
6ab32c929bf80f20d2fe2fd27a4ba45147b7fc9c

SHA256
f4a4ed2f8f06fd669cd40987ba8a72fc50cf3e50b6487c671ffe7cb6c57ab328

SHA512
31bb88b9710c88b3be73ee7f7f5892b7b9ea354fcd167f1308c56e37c05e7c80d36640405979cdaaa2cf67f859bb4a2f5ed7b907dcd1038aa100a77d71cfbf4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
27200721d10121d965472b0b10ed626c

SHA1
e3e6061730c9b21861ecc2d7730a64b89c3ff54a

SHA256
fbfff5591ebe87ee34ff6b5ee5747e9c063e0fc52fce316f09ec18ef6c08c072

SHA512
94d71fb84fc95662350dda3a50dd4b7c6b24d348d4188885bb18ff5b847582c78043a9975d7f9f9413ee1ac4db27245855236609b03ae2baa37ec4730e350170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d4e46769-e2ba-441e-b805-70a920a02ee1.tmp

Filesize
231KB

MD5
eafd90b8ab7b25f877d5ebf867bcaf67

SHA1
11fcebdfa98602f6d5f42d06100036cb12a53439

SHA256
5c1b4afb928d2be99e7d185bd21fb0bb0b3a56323da9ff0c998f6031d76b0402

SHA512
09dd65053b36284048818674c2192fa955f6860a4def5ea945cc2d8accc29256ea518af6cc5df6af9b0a368bbfc0b0a5a87fb8442d73c30a410c2c7957ab6946

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB962.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240201113148_000_dotnet_runtime_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
a3fa9015bfb8ccc24ad658e4d3bb7989

SHA1
4832bdff7e184236e840089fc4b1a02a9bedee33

SHA256
35fb69a1011beb58bd16d62015180b6656514ee852221ac2988b64d324372d34

SHA512
76ff30a964e6b03803aa2f29e89dea0296b07c32e6c34392c0460f4cccd542568b74f917519ecac7bbcbee59d15ee83e279f6b773f5efca9c49ec5918281df06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240201113148_001_dotnet_hostfxr_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
7eb37f83937fff70a6e157c789f3bbe7

SHA1
292b2d2fc863d939b3f104a3c4522012b1cd2699

SHA256
df6fdf950054e5bf27af7c8a4bbfe634dbe13d92786b956001f4c61d41064842

SHA512
ccdac7e66c34f7c6010073e78e196ec9ff373ca6cce07100e2ba5923fcc1fd00e632f9ce62301f35e29c41b1abdc5680292a30bdd79fd4473a5233c0197e212f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240201113148_002_dotnet_host_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
f0249c757076eece9ef1a6a8ba37202e

SHA1
a2ad60ba7b797e6e79a375334184350bdb73dff1

SHA256
a854db2a618926de7a140c4736793fa34e606a02af2368ec46fc91c6dd12b45c

SHA512
19ca35fc221e2a1b0b194d01500ed1b6213d7b63398d45343d99b58929211e570768a75b5710b2a0b73322ffe5a4f24a355f6e57c7c1bb62dbb77b5fa75cbdb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.26_(x64)_20240201113148_003_windowsdesktop_runtime_6.0.26_win_x64.msi.log

Filesize
2KB

MD5
1a6270789e1323e30c7d5c014842393f

SHA1
cd52140560ea42861de2fc6da8c487d76dff8367

SHA256
6e89298d46a2d4b0150b57076ff3c60ed3f7af451274f714f720ac157cac4a77

SHA512
45464c02a1b56df2bc9e493f3edca2b926d9e25fb43e23e03a9cb4fd36d8efbb8eea673772a047a22aaf87d824a28700ff54f44334c083ddabc01d73a2d4cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB975.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Installer\MSIC8A4.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\f77b87b.msi

Filesize
995KB

MD5
bbb43459d48b6dfbbec410f7ca9e5ed5

SHA1
0c4638267b8d749da4660fa00913b918eadcad87

SHA256
c463d592c604384f239e43a25e8f034072b5e5ee2b812a3497fcc613099eb0d4

SHA512
532de378088cadc9565fa14d588b250ca335719c77f0f0fa71aaa12d231c1f72cc6e7026749a710ceb53406444477c44a815b47973b458d1002efb9478a65a24

Download Submit
C:\Windows\Installer\f77b88d.msi

Filesize
959KB

MD5
77cab093d34c695fda3f26bc51515913

SHA1
4d0fa12a7f90f37c340c3959ec52e3ef455616a0

SHA256
ed34c60c30c619464c74ab8e3bcfed5e82e03af74e6081d0d1d883cf721486f8

SHA512
26397201eb812c5cf60e945dbab11aa3615f64232844e93daa990d0fa15a2775321bd94d72bb568b0cf7681a18b717f31fc5546463a2b8711c2895af734d43c6

Download Submit
C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\dotnet_host_6.0.26_win_x64.msi

Filesize
736KB

MD5
2975110113299f19f0d32be131b7b2f4

SHA1
ce6d9b72878e510b38cc5d0064fda7eb08d93d90

SHA256
d09987771e1a930bfa35c0db1e0ac70c76a7eb8e59247437ea326ee29002c4d0

SHA512
b6de60e3fc5332704a6d7b8c17357aeb5bdf3028895cbcfb4bd66d10fbc47ad70d5eff9e533ee6275baee461f9bddc6c0ada4f76e84e5366d48353d7de314506

Download Submit
C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\dotnet_hostfxr_6.0.26_win_x64.msi

Filesize
804KB

MD5
51ada9b6c77551b7a3ea5832acc92aa2

SHA1
b25835b87d89e2a49dd9ff44d6809c6d50abad19

SHA256
7de32d48fc2f2c65eccff56f0150f800ea3df87c2bd6f42d703d74e1c5fb0aaa

SHA512
5ea9b87735d0450b5493c8683214f6054d5fb8e77ed7a82d75bea39bdee59b3bb5a67512131b7db5e9c78cbabc8ff1b1d2fe6d0971b7b36a85fd8b4ade88c53f

Download Submit
C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\dotnet_runtime_6.0.26_win_x64.msi

Filesize
3.0MB

MD5
269bf27e6ae3887e1d8efab8b47e0fd5

SHA1
35dba32c1c691aced4cda70ab253194d3c4fb63a

SHA256
3914d3f64c3f935221f43150a34f0bbef33702fa0e8d863f610e812f10e00fc3

SHA512
1c2f5fa7ee2c0cb5c6e703651d5ef62a26597a6e30c73232e4cdc394187846ec809ab7a8cc95adad9be52f8e393fa913c8532f679e6e8471d1ca57db5fbb8859

Download Submit
C:\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\windowsdesktop_runtime_6.0.26_win_x64.msi

Filesize
1014KB

MD5
96ecbffdf43ceda16364a6d26c27011b

SHA1
22509ee92644d09a6b8b3160548c485068571e45

SHA256
d8b6d7c86a59cbb8a0d5cc1cf688b0c0ac7c42e78e4c4aa75828cda2db7e9f70

SHA512
3df01bfc8594ff4057246d9499fee1e6f57c6b7dc5f3cbd1f9fcd54d71b3c0f38d90343a4483a42369733e74da8b9440cfadc34435e2a9c242818460bad8276a

Download Submit
\Program Files\dotnet\dotnet.exe

Filesize
134KB

MD5
202ba3faeb62985736e0ef73673acd9f

SHA1
3fdbcdf5243c12c123592f73ec65f994191fbdfd

SHA256
76a02c39c5b3aace62365f1ab893acfb4451cd82eb04bfb5755d888fe70ceb75

SHA512
24fa302618189214700af9e65253f223b37ba8451eeed7fa00ac8e2a57692eb80617cf77f1a72f6b722f94eaee7259a66076ce953b284ae42e001e1e6dae0ee6

Download Submit
\Windows\Temp\{62B97FD8-3841-4E8C-91C4-472B34DD6941}\.cr\windowsdesktop-runtime-6.0.26-win-x64.exe

Filesize
610KB

MD5
5bbbb2ba4b75d5e5a9d7652c8751d381

SHA1
738739ded497bbccd5fb2d591cf44da8da875cb9

SHA256
7bb5639fcf35a5c8bac2867fbe6670aa3511367a06e8b094cff7aa13debd4d2f

SHA512
119c69e611ca329439c08695420062fcb8dde03f05c9bc0438da924ca38f99eee9530a0a8ab9cafe760e76ef1654077d019ef9aa13adbc4cf2df60c537b1f4e1

Download Submit
\Windows\Temp\{84466CD7-7A48-470D-A6BA-A76C99476ED6}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit