Malware Analysis Report

2025-08-11 06:04

Sample ID 240222-wq7flsde5w
Target NovaInstaller.exe
SHA256 b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573

Threat Level: Likely malicious

The file NovaInstaller.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks installed software on the system

Program crash

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 18:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 18:08

Reported

2024-02-22 18:14

Platform

win7-20240221-en

Max time kernel

136s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

Signatures

Downloads MZ/PE file

Checks installed software on the system

discovery

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 1736 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
PID 3044 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

"dotnet-sdk-6.0.405-win-x64.exe" /install /quiet

C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe

"C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /install /quiet

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe

"C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe" -q -burn.elevated BurnPipe.{1E63B446-54C0-423D-ACE8-EC71E2163403} {F664BABF-F589-4FB9-BE0B-9B5C3C1FDAD8} 2016

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DC31C1B2856C56B7BADF5553F3DD767B

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 91504D7D5146B2D4D0B6D000D7152088

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A7DFD924C7A399D9AB7181DC9629DD3B

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 89A1AD49A721AA2251F54359E45F34A8

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 028824270FFB55DB1C99D6C45F7F1C0F

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 86789C29DF5ECE5333C06C81C24E9C0E

Network

Country Destination Domain Proto
US 8.8.8.8:53 launcher.novafn.dev udp
US 104.21.68.13:443 launcher.novafn.dev tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 nova.blksservers.com udp
US 67.227.226.240:443 nova.blksservers.com tcp
US 8.8.8.8:53 aka.ms udp
GB 2.19.170.177:443 aka.ms tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp

Files

memory/1736-5-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/1736-9-0x000000013F8D0000-0x00000001401FD000-memory.dmp

memory/1736-8-0x0000000024040000-0x0000000024FC8000-memory.dmp

memory/1736-12-0x0000000023000000-0x0000000023228000-memory.dmp

memory/1736-15-0x0000000022DC0000-0x0000000022F1E000-memory.dmp

memory/1736-21-0x00000000228B0000-0x00000000228EE000-memory.dmp

memory/1736-18-0x0000000002200000-0x0000000002244000-memory.dmp

memory/1736-24-0x0000000024FD0000-0x0000000025812000-memory.dmp

memory/1736-27-0x0000000022980000-0x0000000022A00000-memory.dmp

memory/1736-30-0x0000000001C30000-0x0000000001C3D000-memory.dmp

memory/1736-36-0x0000000002250000-0x0000000002263000-memory.dmp

memory/1736-33-0x0000000001C40000-0x0000000001C45000-memory.dmp

memory/1736-39-0x0000000001C20000-0x0000000001C27000-memory.dmp

memory/1736-42-0x0000000001FF0000-0x0000000002009000-memory.dmp

memory/1736-48-0x0000000022A00000-0x0000000022A40000-memory.dmp

memory/1736-54-0x00000000228F0000-0x0000000022902000-memory.dmp

memory/1736-51-0x0000000022930000-0x0000000022948000-memory.dmp

memory/1736-45-0x0000000022910000-0x0000000022926000-memory.dmp

memory/1736-60-0x0000000023650000-0x0000000023744000-memory.dmp

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll

MD5 6bf625abcb6feca06dcfef0add5a48f5
SHA1 198bd2f5e8aad9929b3d28eac56d1c49ed467839
SHA256 c28d7675c710a6d3ac4fb2177eab122440a1fed9491d52d9b9f378e997d50fb8
SHA512 5453a204a8128eef48eef902bd63376b574864428c0bc63ecf956065f0bea18d6d5cac8906736ce7212ce04641c3010d9c2084c7f3d86310ac57dcf2de40c1a6

memory/1736-63-0x0000000002270000-0x0000000002278000-memory.dmp

memory/1736-66-0x0000000022F20000-0x0000000022F67000-memory.dmp

memory/1736-69-0x0000000022950000-0x000000002297A000-memory.dmp

memory/1736-72-0x0000000026040000-0x000000002685C000-memory.dmp

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll

MD5 964f19583fa0164127ed1fe2cc606a55
SHA1 c1527b6b5762bbe5767be449eddf50b3db9d0f24
SHA256 84e337daff3fb7bad032a273dfdc2d9fffbdf260166d4383e5518005f7601242
SHA512 bad93a91691df9c19b1f798dce9ca85b5994255f979fd3ddf5145e6e0364d3fb2d3ad9614bb56c6c35874817aba1090f3774c17900bd9ea7be5659a2ad679569

\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll

MD5 9c828f9cca7da40407bfe9521bae6402
SHA1 da09914b5a96c3ddf038e3cb176a8b5f31d71ae8
SHA256 7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8
SHA512 01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b

memory/1736-125-0x0000000023230000-0x000000002323A000-memory.dmp

memory/1736-128-0x0000000023230000-0x000000002323A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabACC5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarAD74.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1d3c9fc3518fe493fb5c526ab0e2e47
SHA1 6d45fbc2768e788fc354f419ba9fcb0921fab84b
SHA256 78d9636ff91945819c36b950983a391f8f7deb63485879cfd671965efcde5a30
SHA512 25b430ab6c26d630289e0691b985f60a3c95e913a41a2f8c9900c9f64535da4377b5b1800b76d4e1d94d256a4c906195debc29eb79f0e4088f14ff9161732ba5

memory/1736-246-0x000000013F8D0000-0x00000001401FD000-memory.dmp

memory/1736-247-0x0000000023230000-0x000000002323A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

MD5 a965bd9aac61c3e294d5bfff7a9e66e8
SHA1 bd2f831c210dd4e99c211fa4aae7e0892e567dcb
SHA256 778caf178b4e6d474f0774e1a770a801d1c2c939d2861a0eef95616a0fafc607
SHA512 dd4682b65a8944139b589b59848c75e0ec994d86399ea1f044a37e8c859afa23fb419a3211aa9394fa4a0f320aaf506bd41947f9d7aeb6a7543505f00bef65a4

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

MD5 10e24783d7998334d58d4a26b4a73895
SHA1 6e9c083ceab9d410700ecb8384eb30f0bb10104a
SHA256 249ddaef6e008e919116d0755d98ecd70b5148d862863a5568236b46416f720d
SHA512 24a4b72b8259dfd2f16875dcad679517896450bba9f14105f0d59ab99fc0a43f4d659746829ca95c8094f8e2823798e4faab113ebc502bdce9b8b1d7a66e7715

\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe

MD5 3650f7384797d5ca0748ec469a0c2bf3
SHA1 2357776a8f0762df3bf3b338ff06e15cbae0e38f
SHA256 b368ed64388a9d621859119a77d08122c366df54fb96dc850e06da25470fe351
SHA512 866500eeb9a39ee3191d0b95f2baf353b341168aa73804a10a20215c1f1fb7ce620f3ca9424bde7288b85d764cdd1282807da46071a4535f51eb36dda5876f7a

C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe

MD5 21b927a31564d5334f1b4f63c50f5c3e
SHA1 ae31618a84feb0f7df08a5a0a5259541eda0f5ac
SHA256 8db1fa39a941807d4108fcf1ef716b69591b512db9f11ab0fba76ed863ce04d2
SHA512 e26e62f159aba42589813defd2f02950181e2500246fb756142d01f242cf85b680217ae8804e43f7e0063da1e1634740b92a1b5f32e538a9f4175c2f260630c3

C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe

MD5 90efbc4f55a9b9aad3cfaa06cb18a29a
SHA1 4329a81043869419ce52d5ff8ed637bf16f2857c
SHA256 5e47dcd5f06e6e6d3f48adcaeabeb71ee9d5708e6f7fa309c1792ece163f7023
SHA512 081902f9b5bc3b5882b8ae2c4ff68c22d6fc5efa4ef1165a13f5adc26087c4dc3d0b5cae2f1bbf0e02efad4e3a82fa48ffde4d6f496c67abeea2e03cf3e74a8b

\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe

MD5 c829733fccac1d023514b6a56647d461
SHA1 eae92bb4711c6d9e1e19ebe79b3afc2de7dfabec
SHA256 fec2580479532e2a36b75e9e4d14835be00e1fb65f43166ee4b4660aae13f2bc
SHA512 dd7f1299ba1db1c3ada0110dc75e91d5b68731fae7261b6c06f330354653e1ca1e8dde2150d34843b76c4066d2328fbac18f0b9ba989446c29c86ac38f507706

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_targeting_pack_6.0.21_win_x86.msi

MD5 11d6c02dbbc89d3c06781a401417bd0c
SHA1 447a63505dd844a7e2ed5dc52482ca122a15cad3
SHA256 ecce41cbd7f089b2e84f50391e730f634bb31aa4faf3e3c9c913a52a6a85f525
SHA512 1c9e172e5da67a9673024caa2a64f3c430a5be7e8c6da017af2d2cb356a05453d84ca2351efaf69fb132e5dc7f7292c94421c3d896be7054f96be2f455c6cddf

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_runtime_6.0.21_win_x86.msi

MD5 4ae810529271732ce23f010065d0a2b4
SHA1 807c3e3a2c4aaf4ad902d1a71211f696a57f18ad
SHA256 88ad6791ce8c47223164cbb34d525ea4ec30396916906475745a17013ed3c7f6
SHA512 ee933862e71db0f0fede25626378bd2dee319e9ff07216b2604b8c03a7d34ace79de4bdb06db6d69d9035f2d5d70112e49abb2f39b9143d940385d0789476248

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Finalizer

MD5 1ec0ef0eb7860f069bda682b0e74df8d
SHA1 12ffab75565303e970e27218efeeb364b3ecdd18
SHA256 2f6948e63b4c8e4493b32dedcaad3d871bd86940e160435bb794fb9be12e2001
SHA512 9964a24217aaf610f1bcd85ef246d9f361313090e1acddc5eaee7b2e241fc441b2ddcdb305e3cbc5591a0c6566856291ff549aab1e09c8b7acf45482df1cb71b

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\AspNetCoreSharedFramework_x86

MD5 837378fedd9087818fbe1e34a44b2f63
SHA1 f21d29f3825935d4686030f3a18a4792bb059870
SHA256 ff5d43836df20367c93dd76c42191527d5bd7e022d1661b68a324cf3ca86ad1a
SHA512 c8f0f3c8820f9266eccfc627fac1f291fa9cbc3f4fb2852cca649d356649d3e1d7f512b23909283126d8f0d6eee0767a2d24e24a82c9e2bf9d681ee9a6d31b43

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_targeting_pack_6.0.21_win_x86.msi

MD5 27e783d6d8727f717b83204ed02388b7
SHA1 56e0d3577a3888629919c72e2356d7f1945ee0ea
SHA256 fafff57eaa7b0b817bf7df6e597c7dbb2a933cdffb091dc2d6d2f2eb1bb19c9a
SHA512 108094fda94403adb2c65f1dedd32501fc2008411792fcb8c85ccab7bbb06ee61cc54bed42a2aca8c7070188e1ccabc0c7054baeb1becae848d9fbc5b349cd44

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_host_6.0.21_win_x86.msi

MD5 7962d70e6e862a1c0c895249f3e898f2
SHA1 dbbf1b409d4ef0e2272bbb6b66ddc6028842e207
SHA256 c2724c3f3379558168faabe9c835d140bbce8eb4ee7b376ae1f6fb214e683155
SHA512 89a8a816888c5ebfe7a8d19a620c762e884bdc354f2897e87bfae472c1e12537bb04204ffd4954cb86bb699dbf2fcf3f7b3e182de328a10a6e0c323734b30101

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86.msi

MD5 02bceaf1e8e984cf96538e9ed1e7c32e
SHA1 981c74c27a3192aff308614225a35f206881c32d
SHA256 bec33f4963730d97fbf799e497fd3003154f8548c397d720bfc721c8e1f60888
SHA512 768abe808f9e997806afb81ddb94e705bbd36472090d37fbe3f8027f4b144c711a2f01b0e4b9d0a42656efac5e9b921c735ad97201fd17a2afbf6b0b73fbf498

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_arm.msi

MD5 79e598f855ba34faf22af6c30eabb1a3
SHA1 9e4926da5014809e7f821c2d4779cbd47b973510
SHA256 51e0b5199d7cde0584c20befae2bd48444cd3eec1dfaf372b26633c400a2c254
SHA512 442caef79d5df29dd0ddefe6eb891a073f019742dc44bf6d4d08beab79ca3f20ef1b3cb5e235a0c75d2accc2e87f37d547ee6d08e3c296e40803c2d909f6298b

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_arm64.msi

MD5 6a284a25f91369516637a6e40271644d
SHA1 e5f487864098f1124c66083dd97a5e7832126522
SHA256 e0e38524a41e01e4986b1886a64fdb57ff1c4b8193a53c24e5e57d0a359f1c28
SHA512 d48a7081dfead76d175f9e5f30ab52eff65f2f75fa26f12f1a93f1599b8efb3bd302fb1821de1ed494aec4e7b8678b9ba1c238faa8b5e175a38d6f18eb5773ee

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_x64.msi

MD5 9491ebd4c04097691613188b3d21b928
SHA1 5136da2fa97a25cb3d4f30ce33d3c3447e92d2dc
SHA256 8b6bf74d99d80494d2b0e656c91e51126e35e14bc0065817e4e75e1cec9a6c56
SHA512 b22dfaf2f937a9de66ff3dc7d56b5e7fab0679fb64b50a91fc334938a38e9dc87c35d2a02281580f15b4d386f953b80d750d9432d9746c30b7f07f40f3f3ae37

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_hostfxr_6.0.21_win_x86.msi

MD5 e92a19cba6efc356b1c51fb9e53cc1ee
SHA1 6f475b4278c0963a9b69efc47abc8896b0c20208
SHA256 504f09f5815c51b04d7c83d904604aabd70b8678b9fd1fe886288060af5ceef6
SHA512 cf3b3d79f8785b144ce7d2ac7552a1c2fc7f070445adc8d3e4e7793e99a48e288042548f421bc600595e9d3c99c3def8afdb0010adb6e510edbd6d0df23cf807

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_runtime_6.0.21_win_x86.msi

MD5 7cbf8309bb6f5390c3857e96fe95510e
SHA1 160b612bad5da367b3cdf22892a4dc57928ee804
SHA256 ee9bb3f12fb98a7c67e329541679fd3cfbb725f0b97d9bf488cef33c8a07056a
SHA512 d0021d1bedf60fa7fa475c4b3ad101132e860c458760a6cc37e43a202dd55aa189ec1c979013488e0c874dea703aca12f42f69a82ba844052809c9102235e252

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_60templates_6.0.413_servicing.23367.26_win_x86.msi

MD5 b6dbee782949b991e22f216efe56475a
SHA1 a313e95e724554338293c6d44954b0c2a3cf8a63
SHA256 b7bfbab92c43a3116983ab5ec463a895e35b67386e9408360d947393adeb81a0
SHA512 9c9fb07e458cf85ceaf7a6203136dd98b491db5bbe5496d69d334bcf5054e481f251c6fd83fc196df9b79fa906c71ad9d12d4265f3d35a0646b4c4d096883aeb

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\netstandard_targeting_pack_2.1.0_win_x86.msi

MD5 1efaf25a241ebb22082bb327590d0975
SHA1 0af235a15257eb55d19e0fe635df5ffde02ecbf9
SHA256 194aff09b53c8f18ac8410c43dc63f678729906a39ea45efc5e1f538701c8031
SHA512 c68b3295e854fb800c0d065bb044b640309e48bfa1a3ffefb459761e40ca9cefe115db09688a9309eb699ab616f837a4c69f839517d1538c33259fa38f5c7204

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.Maui.Manifest_6.0.300.6.0.312_x86.msi

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Workload.Mono.ToolChain.Manifest_6.0.300.6.0.5_x86.msi

MD5 1155dd7272a534dd403520299023a012
SHA1 e5eb9fd3d8ba6855b8dc346b1a9f4ff981f5493a
SHA256 fe7be499cb7cbb90c117ad16403f6a71b8c4a036d2b1e6aba237a1220e7a31f0
SHA512 07381caf6a1bdff9cc45b86da9a2895fe2b91ac6c3d00305cccd283f0bff2c669b51231d128887399402426787d7d5c3d4537c65ee2327a00a985125b43a579a

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.tvOS.Manifest_6.0.300.15.4.303_x86.msi

MD5 838989470eade37ee5a7674f582f494e
SHA1 80bda03eff3f223cd50b6f747a19edd1e047ebfd
SHA256 71d07c2a35b4cff43e46989c21c1a682a016c2ff9d5cafbac911e061868bab05
SHA512 92c5850eec4d9d06678e23f2f1e926873a797dbd74472992c238e3b6b7184812581f594406c5b070fc4ccde1d01ed1cd3aa4d51a106a2f803602a4cec332da36

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.macOS.Manifest_6.0.300.12.3.303_x86.msi

MD5 537d4cd0bac3d41f9b736eea6fd8e055
SHA1 4496ec4490cb5e840bbd3a9345c024b926f861d4
SHA256 eda4b2f6d762342df60709866fbf107a6c86feda0795fd3c2624e9b8b550df68
SHA512 b147950b3ecb204035cd300f8d2efe4e185852b4513d2017c40fc227b1943a46c1ac1a32ab46b551d0729184950e0ea6fe7606c0a6b2031b88faa21dd0b88733

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.MacCatalyst.Manifest_6.0.300.15.4.303_x86.msi

MD5 a5979d34f92f39d27a21d8163583862e
SHA1 1203352b2c68f873648a3ebbad6b83cbe00a0822
SHA256 9f9a931214de020a6be34633bf9f5e22d616ad7aaa10563144cdf8189c4bb17e
SHA512 b0cfa77b9f207ed25e8dc17e7922b3b5f6eb419f3a393eb7505a6a9800fdb6a8eda568efcaa7c89d6cf52af024277158242f59563ce0396280c90a2c0dc57feb

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\AspNetCoreSharedFramework_x86

MD5 bfd60e4899f9da0979c941250d1a39a6
SHA1 94a9046c2d1c82f7b2f8b3dc13733eaed19a9052
SHA256 d835610f44f988da5e778092cb67dcf3f4e99939cd64cf4d8f03495aec90017f
SHA512 2c110f8fefa2368b0cf82d68bdefafe6b22d62eac6175e84a50c7c96937b984392b13d7d193c7cfeabf229e3ec738c193f8d370fe665dc82584d0f091868ccec

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.iOS.Manifest_6.0.300.15.4.303_x86.msi

MD5 4a484398b36dc8963ffb67f766e03762
SHA1 fbc28848efc8a689a314989d18de9535b9a98834
SHA256 b71d62cf90dca091ad3a114725e6610bedd21bcae33bb44dd028430f0dcbe2e1
SHA512 3ac43f404a9da83d86f782a15cb16c1867125720b574e26cf79e5bfe929d94f42a6923135d4691160a3af5a0914b070d28589844ac3669015b218da4ebe9b20c

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_000_dotnet_runtime_6.0.21_win_x86.msi.log

MD5 9d109ed7ca215b329f5ee5d5d7a54faa
SHA1 e009721b8c737b7cbad56c40cbdca7d5ac560261
SHA256 1a1043b4d9cf41f18e54d4e5f3e78dc9ec86da638d4aed503ded3493b3326c2c
SHA512 b8f58b439df5bce5ed45f9b3f5a17aed28eca8169c76b0acb5cf957a9b818a6b79fc887ba402fa6d7209adc59b84f99bcafbf2723bb4b20f6c5ed7871232adf2

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.Android.Manifest_6.0.300.32.0.301_x86.msi

MD5 f89935184c813d483df9900090d44b29
SHA1 c44654235a8b77c7f0aef4ad3fc9b18548861d70
SHA256 d8bdc2cb852f490f88f6a4e0d037727ed7b8ff93473f2d2902f5117aeb4a814b
SHA512 618f7b7c53eff3a1981ada3ef9082ed72f97ae1cac4816d831439091d39c340527e740c03f0cd7e0ed46ad65aec824e7e4285546f4b4e078e6625a4828c9e988

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_sdk_internal_6.0.413_win_x86.msi

MD5 5557f878e383c3a2e15e7c1f100b04dc
SHA1 12f208e29ac67679839a91e4fcaf5272547d0585
SHA256 30151111dc5d6a477ba5184fa733843d80cc387a0e2fa4525baff83f1ca21a1b
SHA512 f69fcf505c612d67e79bd064351780c2f2c36b3979bfb8551723541b753e5e590e809bd121298cf93abe9e2d88e070ee86ba0cad273850f38a3dfbec8f4973a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b46b533e597f6c546254d386e087096
SHA1 9ab64f29ed592a4a81a7e7218950ea9758fbc059
SHA256 c33d79cfc5401d6ffd5f8eb55c957d28b5db6ab79c4d7a5b405ba6c36312c940
SHA512 3ffff408fcd5bce22536bd094473d82346216eb491edd20ffd5de0a707ccc02fb4ea97a25141523217d0534e18552f28c57e4e97a4a28e6d052237ac37179e2b

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\aspnetcore_targeting_pack_6.0.21_servicing.23364.38_win_x86.msi

MD5 c98f9004ee5f2edd79d44b5b832a912f
SHA1 1fa26d5bfbdfebd83684aba4dc89f451eaadb02a
SHA256 4c2de39415b2f2bff47c179a985fb54ea97a9f816cc8f95b3a59abac3d875ce9
SHA512 d1e517b6c4b6b60586d9025fd300d35b0b879d72be5dd3dee9d3884cef9cc502381a36c60b70b2673a9773a1ea13e7476d23eb9c33c62f9c18743e41d6bd18bb

C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_targeting_pack_6.0.21_win_x86.msi

MD5 08365d12500d2cc334778d2972ffaddd
SHA1 a5c2a093019be9eaa3efb5f9c37f83b63d502196
SHA256 20c74ab102820bacd3f6a3ec6fa1b972063df3347a28dfabd451c3ce07736227
SHA512 2a89442dd7a06fcea985b032a4ad862819579067e28db79aae3382b1393ae608b041dce2fd3edf3a94570219d0aab943db678c951602ab7bb39d96366d0def11

C:\Windows\Installer\f786ea0.msi

MD5 3761aaad9124eb5f67d7f2f578804f1f
SHA1 51d9a0f7d1079cbd4f9609c1df6bd3e55155891a
SHA256 47026c325a71d5a3ec300eaeac59678c7814852375b052e3f1c78db490e13a3d
SHA512 cf19f410da3cc7cf76979ad4bb266dfd7a0f01cd79a407c3865e0ec421be33e6503da6048b235b5841f8eeeea44274a952b2b25e69bc92ec9ec04c90d08c5d6f

C:\Config.Msi\f786e9f.rbs

MD5 10fc7bf80afb651f0da3b5281bc05894
SHA1 cd5b4af957e8823ba9ae403be1b95e7ff487854d
SHA256 d435c03f8b11a435f2c41ad5191ad4ff14306807baf79b2cd451443c7d2d601e
SHA512 12d43e0519011bd468167bae0c5943a6611b2e0978e77df98d394ded6d84735dfd64ba5daa04e63626178a7fc71433f23d1f323a853804f2e65bb0b1daf8d0e2

\Windows\Installer\MSI7F16.tmp

MD5 fbc9f717b1b642e20b9be87ab006a74f
SHA1 f0ee0595b5ef58ff26c9f8ab3162d32786ad16b3
SHA256 ec7b8b484679e648cfae140f153613fadf5c36eb97f524f2e8001b8ac83775cd
SHA512 dba0c517c974fbac7257e4f0ff5eb23e91b380cf47af748c814631271efc446af949f83d9d517925fbd571529787f122f6d56a541ce61c665ed9ea9138c65106

C:\Windows\Installer\MSI7F16.tmp

MD5 beb7eb2acc845e6de562805ac9323d19
SHA1 6d0923496fe3e144978b7cb27b157e77202e7841
SHA256 b2195a6ec525b33d04c6e99ffc5f163a1ed880cbdb3e44a120504c48a7433348
SHA512 bee5655a0dedcecff1c059649cca772b87a6449ef0be526617cc14db1b82e434e065bb2d98b2090768472c890c337249e7d622ee918595ee9e697721b3cc1f0e

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_001_dotnet_hostfxr_6.0.21_win_x86.msi.log

MD5 6dbef3c5b4215e547f8bc7e82188a627
SHA1 4211d869a50aa237d49246f2f18c638fd685666c
SHA256 5571d54bd93699067d68bd62c8f813d64f02d48b362c3b86fe04c28ebed15b8b
SHA512 be5f4e481d85902d751805e0c41e32aaf75d7243196b79a96c03ee89fc364260a804cb53cb98ec078a3f1a9893089884ec013b62a24dd71fef21f002ef2f43be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4eefdb1f0dac1495fccb110c64fbe4b
SHA1 27f9a1d1ce5068006f7b018d8971b6762a3b42a4
SHA256 91afd902690d50401eb6bfc21fbd2ccf41c9661a29e7f2e45b4ad9c2924b13ee
SHA512 50cb7c703a122fc58462f947d797b2d448f4444883f458cf59fcecc22da7420bff5d7665b91b793b1b24ea86144c6255f00f8a5c618098ec5accc2787b23fcd3

C:\Config.Msi\f786ea5.rbs

MD5 dd4d5563a4df8996c2c87027e5e6d88b
SHA1 4280c49751a1d13f6d68887548bd561c7118474b
SHA256 033d49adcdfa175fac80f07b51eecbd8e31fcba00c4509c96633d1b0ecf3a109
SHA512 1000fb487719a8c09a2403c9f6d1914ced89ad5d93721907dacff7d2836cec4d14ed948a026a9a70fdc0030e5261bf648f80d7bab13b32bbb761fc3a8bde6c6e

\Windows\Installer\MSI84A8.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_002_dotnet_host_6.0.21_win_x86.msi.log

MD5 aae2fc82ec42a7724a462ce2ad885cea
SHA1 6764a3584ef963a769c81965bc5e7f25e371a79f
SHA256 c1cfc712f9e7c85f26ca5901e5c86b177d5f88cc6ae025054c8e530ada4dd102
SHA512 45dfd364da062aa216004f8dc59d0489531422b8b9e5e3be3667561380ed1e4159d0d950c36c9f1c04db527ef2ada6960ad0b9e1a53ff0823269a0bbc1a4c5e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aeafaf2cd2a1b218699d195434176520
SHA1 e0fc3b32f6669ed83bac483a14fe7f7fcf695ac8
SHA256 35815e59c7129a726e570c8052742a060600c634a94ac890ae78cc9c9ea92c19
SHA512 d91381bec72e4d8535dada5ff4b6bdde9e97cc3ed840bed29e066186d76ff55938c68be52668f33536bb22a1a4594f11d699936a3b8f4f42b8b704d82571f5c3

C:\Program Files (x86)\dotnet\ThirdPartyNotices.txt

MD5 f77a4aecfaf4640d801eb6dcdfddc478
SHA1 7424710f255f6205ef559e4d7e281a3b701183bb
SHA256 d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA512 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

C:\Config.Msi\f786eab.rbs

MD5 dfcdb3b1a2e8591d339b28ff37106cc2
SHA1 b75034c5f726f649d7d0cd967fe7457cc8e786cc
SHA256 ccfac8631b3f1f20b94b3b717e93f7e702f333f48350f0c59c2d0b36bd84610f
SHA512 b9bc3a0e252d905f08bbfc533b92256ec4d84ccccd10901267cba3a40f09d047c427ca4c14bde33dab8c2eb116d96168739bacffbe7ec479e6ef959109091729

C:\Program Files (x86)\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_003_dotnet_targeting_pack_6.0.21_win_x86.msi.log

MD5 88aaf7217d8fd4ee55dcfc80c61d992a
SHA1 77d82d449e5abffd4264f6908fbb37d4fb875c01
SHA256 95f9d02719215bea8283a6fbb5132e733dd48a0ff8e4b1798bbd294c3c713cf6
SHA512 26b75c2aa98c535ca380ec5a43a3f75a9d9b32991085891022ee07c4d735aaccbbfd4736ca026a622739bd0e2caf7f48cdf5803d82e913cd51b7e35b9f49b58b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18c58e12b94a7537c7f5955dac063330
SHA1 4949ee1f251a9eacfde71e564a620c8db44a58a8
SHA256 18c2ed6970780886d9a9f8506d916456299604471f541f14205afde046fdccfd
SHA512 cb4a7f95b8f55f19f4d302d3ff9fcf1cb3cfd1466d04c978d3f99f3b1f9be026a9f125af6a590286db3a9c180b4cc310007d7be2ffb2cdd43cac3fb4b6cd420e

C:\Config.Msi\f786eb1.rbs

MD5 ca6a191e017dfae8e9a0de521235b9f6
SHA1 323ddd0987bb6d27d2362f579f96130ab8b9713b
SHA256 d6af23f501fc5ff3384d1aafa85cbcda728491eb23aba2bc82b56efb804ebc2b
SHA512 7c18e1b0ce64f7ec020daca7c86da0c0bb75a49b9440646597c49bda42daf5d4a4c9251282022351fb0166caef89a1a799273c3e3cd364b5a36aeec1962a2e16

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_004_dotnet_apphost_pack_6.0.21_win_x86.msi.log

MD5 593310aede52e46734a6b1794938a043
SHA1 b5c47256426deb851271d57114243f8c825b7b89
SHA256 07b0bfafbfbfc3f439599252b7ad16183ccf20cdf8ab8104ee639701b336b027
SHA512 8d17ed0399198bdc884022684de2ed910628652f715f30b5d504241814dd5e6c8006b2ce2dd252d21e4855bfc7e6225ec7d881a673714e1641a406a3e166878f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f94a05f5a43e64465deda4b7f0c45ed4
SHA1 09a7141120165043b8952dd067414a19ca1ee570
SHA256 6332b14aefb9fac2886ac5ccf007a6cfefd3b4b5dc4de129895b194ecb2f84a4
SHA512 5eb4d7884eee18d4e4ae37c7887ea7c34e9ced782704a9ba9fd7a2d27d06284b464ec8eb1417ef7d8f52b1e96063ee26b362fc8d60d72e44ed7d733ecdb6fe88

C:\Config.Msi\f786eb7.rbs

MD5 00bd931eaa1c34500f6b83c36c56afea
SHA1 16865b057dd9ead3e9403c29259596591edead82
SHA256 257164b5ddff108f0668d43417e367c42ab2977ec5cf541d841703824a5f8ed5
SHA512 21549b09fc60131131a6ffbb11fdff82e877cda65fae23fa7d437a0fe60b60983069650dda943afa347ba7faae78856b7c7b4bf7a5f65de64379744562b21292

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_005_dotnet_apphost_pack_6.0.21_win_x86_x64.msi.log

MD5 bfd6c717475f72089945a2cfbb2d87df
SHA1 cab86e52d3936377a22bcb24743d956ce2d1ec63
SHA256 42f9ba015d05dc76071f20bb94db24d5490a1c7f31686212fcfea826f5fb5be1
SHA512 aa7a44ec6a42f035bbedf625f9c2d52cbff432a14a41bc8aa3ce781c09ba99cec2d335ef36dd09298fa685a1e56b0a324d2b150d143777d6d22259ad1ba61599

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e40d537941cfa0b247f112f14046755
SHA1 bfeb2588aa40a3d8b1dcc079980695da46c3468a
SHA256 8be9d0d0da43e20d1ddfbbe0f17868f7d4c6086e7097c11273f1e85f96893363
SHA512 1dca620d4945c74ce739759ecec10de006bd2c88721c0f5c8ed081bd08d1650ed82814fbbc2acac7e8bcd42d95e29f704d5e27e00d3111534584a672a5028c39

C:\Config.Msi\f786ebd.rbs

MD5 c0654fc31e76791013ccfa848dff56e0
SHA1 1f464ecda4687604314be9d3ca03f9505cf7f4db
SHA256 2fdab077dd252fcf750fc6734a5db5540136d58b74c57a2596d5549c0cf4770d
SHA512 985f8db1652560a154a128076ad5b23c378b7ccbe63f8a240fbb5ed0ceb31762e4ced1bc3acc8ffcf530d41377801d06b23bac6e497ea1c1da1a9008a985e5d0

C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_006_dotnet_apphost_pack_6.0.21_win_x86_arm.msi.log

MD5 56468f125862d8db8aa750d64e456aa8
SHA1 dd64522567ee2613555936a802372cc90204fa80
SHA256 b4cb414d6feddceaac1ae8d6918642942f6bcfa0028e07ac09b28cd4dae5c6fd
SHA512 f198e176f98c886814aec7f2e41bad297ed1d2f5f74be1924e676ba63af1ad141fc925f04e5a692ec1809a9c3a695e12aca2116248cbf51bc6765445c3535dcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c46d1d5c46721bb9075b49249ebfeae4
SHA1 98ac377d2236ba877db27d8569d7a3a400259839
SHA256 8d8e363e2b268d82638e33129686ee364c632175503f1cbf4a9c919a5ab41d61
SHA512 8911bc92f146e90b541d81127892750352b7118bfdd7403cba7437c5d9c8d540562fcafe29c45db8700007da8456145e1a78675f1b4ead9a1ab61ce97fe751aa

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 18:08

Reported

2024-02-22 18:14

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce" C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000086aa1aaef4cad2bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000086aa1aae0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090086aa1aae000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d86aa1aae000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000086aa1aae00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33135.0" C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135" C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165} C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}" C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
PID 4220 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
PID 4220 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
PID 1708 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
PID 1708 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
PID 1708 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
PID 3860 wrote to memory of 3304 N/A C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe
PID 3860 wrote to memory of 3304 N/A C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe
PID 3860 wrote to memory of 3304 N/A C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe
PID 4220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 4220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
PID 4220 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"

C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

"vc_redist.x64.exe" /install /quiet /norestart

C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe

"C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /install /quiet /norestart

C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe

"C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{472BD820-B034-4B98-8F6C-C966D0298679} {57C6BF00-3285-4967-BF72-F091D99D4408} 3860

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 3860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1236

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

"dotnet-sdk-6.0.405-win-x64.exe" /install /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 launcher.novafn.dev udp
US 188.114.96.2:443 launcher.novafn.dev tcp
US 8.8.8.8:53 nova.blksservers.com udp
US 67.227.226.240:443 nova.blksservers.com tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 aka.ms udp
NL 104.80.230.57:443 aka.ms tcp
US 8.8.8.8:53 download.visualstudio.microsoft.com udp
FR 68.232.34.200:443 download.visualstudio.microsoft.com tcp
US 8.8.8.8:53 57.230.80.104.in-addr.arpa udp
US 8.8.8.8:53 200.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/4220-5-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/4220-9-0x00007FF628C10000-0x00007FF62953D000-memory.dmp

memory/4220-8-0x000002CAA2AD0000-0x000002CAA3A58000-memory.dmp

memory/4220-12-0x000002CAA1D80000-0x000002CAA1FA8000-memory.dmp

memory/4220-15-0x000002CAA1FB0000-0x000002CAA210E000-memory.dmp

memory/4220-18-0x000002CAA1BB0000-0x000002CAA1BF4000-memory.dmp

memory/4220-21-0x000002CAA1C00000-0x000002CAA1C3E000-memory.dmp

memory/4220-24-0x000002CAA3A60000-0x000002CAA42A2000-memory.dmp

memory/4220-27-0x000002CAA2110000-0x000002CAA2190000-memory.dmp

memory/4220-30-0x000002CAA1B90000-0x000002CAA1B9D000-memory.dmp

memory/4220-33-0x000002CAA1BA0000-0x000002CAA1BA5000-memory.dmp

memory/4220-36-0x000002CAA1C60000-0x000002CAA1C73000-memory.dmp

memory/4220-39-0x000002CAA1B80000-0x000002CAA1B87000-memory.dmp

memory/4220-42-0x000002CAA1C40000-0x000002CAA1C59000-memory.dmp

memory/4220-45-0x000002CAA1CA0000-0x000002CAA1CB6000-memory.dmp

memory/4220-48-0x000002CAA1D30000-0x000002CAA1D70000-memory.dmp

memory/4220-51-0x000002CAA1CC0000-0x000002CAA1CD8000-memory.dmp

memory/4220-54-0x000002CAA1C80000-0x000002CAA1C92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll

MD5 607039b9e741f29a5996d255ae7ea39f
SHA1 9ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256 be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA512 0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

memory/4220-60-0x000002CAA2290000-0x000002CAA2384000-memory.dmp

memory/4220-63-0x000002CAA1D70000-0x000002CAA1D78000-memory.dmp

memory/4220-66-0x000002CAA21E0000-0x000002CAA2227000-memory.dmp

memory/4220-69-0x000002CAA2230000-0x000002CAA225A000-memory.dmp

memory/4220-72-0x000002CAA64E0000-0x000002CAA6CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll

MD5 9c828f9cca7da40407bfe9521bae6402
SHA1 da09914b5a96c3ddf038e3cb176a8b5f31d71ae8
SHA256 7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8
SHA512 01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b

C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll

MD5 03a60a6652caf4f49ea5912ce4e1b33c
SHA1 a0d949d4af7b1048dc55e39d1d1260a1e0660c4f
SHA256 b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3
SHA512 6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

MD5 9869746a0f9ad13ba9cd9e4a942896de
SHA1 d114255b271ebdbb6d29c1898bf78ccecd92ed22
SHA256 3bb6fb8a9ec7dfb576316dad2057f6015a1bd3362c5bf8ca6d76fb8304aaf2bb
SHA512 87cb6aa67a164f7acbf40f84bbe221cbf8a5861d6b9b8511dc94588643664448c8b1d34b95acf9014eb43d9e24b5bd93440d073e8b28201676e61168344e5c2f

C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

MD5 6d7b8a872106bc27873d6b612f5f39a3
SHA1 24c85bd8887dc078eed4411fa5b83ffb19ff92c0
SHA256 7c0928de9ba2c9dfb3f2d573d8126b048e422f01c1549dfb39816a528f7cae48
SHA512 b77bc1f339db44c30a976127f59412989b53b045e399c08428557058159f2030fbc901e2843ed904d3e716971611a2283023004855d99b2ced9e6a7c7b2086dc

C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe

MD5 b73be38096eddc4d427fbbfdd8cf15bd
SHA1 534f605fd43cc7089e448e5fa1b1a2d56de14779
SHA256 ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a
SHA512 5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/4220-246-0x00007FF628C10000-0x00007FF62953D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

MD5 a0771e2cb6ba8b02851a079de72dd5a9
SHA1 8f57f6aa30cf12c89d5778fe304b9e572e21ba32
SHA256 0b56c725d8ed505390fdf69c9ee71fa86487e12dd4ba78f371a5a2b4cc7bf4be
SHA512 53d2a52698919e92468fdade279d809f04bbcd7c47333437a0faaad137986ba96172c922af5cb31dada0d71ce682639c080834ce67a305ec57348df3ee642106

C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

MD5 9206f265d5494890973e3595d4f36be1
SHA1 3eab95b3ca683711be99f7c4d21d1f851adf3c63
SHA256 12bddfb456ab20be1040a82fa8a39251826e720093dcb08c92796f8a4ac93471
SHA512 fd1a75c22cfa758ca5abc8de689dd9554a695851b715b8200ed9978a15518d3fe2513ee76427a2b33ee39b7b91037c3e8e2562a966814000b8af3c71caea5996