Analysis Overview
SHA256
b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573
Threat Level: Likely malicious
The file NovaInstaller.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks installed software on the system
Program crash
Enumerates physical storage devices
Unsigned PE
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 18:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 18:08
Reported
2024-02-22 18:14
Platform
win7-20240221-en
Max time kernel
136s
Max time network
167s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe | N/A |
Checks installed software on the system
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
"dotnet-sdk-6.0.405-win-x64.exe" /install /quiet
C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
"C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /install /quiet
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe
"C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe" -q -burn.elevated BurnPipe.{1E63B446-54C0-423D-ACE8-EC71E2163403} {F664BABF-F589-4FB9-BE0B-9B5C3C1FDAD8} 2016
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DC31C1B2856C56B7BADF5553F3DD767B
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91504D7D5146B2D4D0B6D000D7152088
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A7DFD924C7A399D9AB7181DC9629DD3B
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89A1AD49A721AA2251F54359E45F34A8
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 028824270FFB55DB1C99D6C45F7F1C0F
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86789C29DF5ECE5333C06C81C24E9C0E
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | launcher.novafn.dev | udp |
| US | 104.21.68.13:443 | launcher.novafn.dev | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | nova.blksservers.com | udp |
| US | 67.227.226.240:443 | nova.blksservers.com | tcp |
| US | 8.8.8.8:53 | aka.ms | udp |
| GB | 2.19.170.177:443 | aka.ms | tcp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| FR | 68.232.34.200:443 | download.visualstudio.microsoft.com | tcp |
Files
memory/1736-5-0x0000000180000000-0x0000000180A25000-memory.dmp
memory/1736-9-0x000000013F8D0000-0x00000001401FD000-memory.dmp
memory/1736-8-0x0000000024040000-0x0000000024FC8000-memory.dmp
memory/1736-12-0x0000000023000000-0x0000000023228000-memory.dmp
memory/1736-15-0x0000000022DC0000-0x0000000022F1E000-memory.dmp
memory/1736-21-0x00000000228B0000-0x00000000228EE000-memory.dmp
memory/1736-18-0x0000000002200000-0x0000000002244000-memory.dmp
memory/1736-24-0x0000000024FD0000-0x0000000025812000-memory.dmp
memory/1736-27-0x0000000022980000-0x0000000022A00000-memory.dmp
memory/1736-30-0x0000000001C30000-0x0000000001C3D000-memory.dmp
memory/1736-36-0x0000000002250000-0x0000000002263000-memory.dmp
memory/1736-33-0x0000000001C40000-0x0000000001C45000-memory.dmp
memory/1736-39-0x0000000001C20000-0x0000000001C27000-memory.dmp
memory/1736-42-0x0000000001FF0000-0x0000000002009000-memory.dmp
memory/1736-48-0x0000000022A00000-0x0000000022A40000-memory.dmp
memory/1736-54-0x00000000228F0000-0x0000000022902000-memory.dmp
memory/1736-51-0x0000000022930000-0x0000000022948000-memory.dmp
memory/1736-45-0x0000000022910000-0x0000000022926000-memory.dmp
memory/1736-60-0x0000000023650000-0x0000000023744000-memory.dmp
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll
| MD5 | 6bf625abcb6feca06dcfef0add5a48f5 |
| SHA1 | 198bd2f5e8aad9929b3d28eac56d1c49ed467839 |
| SHA256 | c28d7675c710a6d3ac4fb2177eab122440a1fed9491d52d9b9f378e997d50fb8 |
| SHA512 | 5453a204a8128eef48eef902bd63376b574864428c0bc63ecf956065f0bea18d6d5cac8906736ce7212ce04641c3010d9c2084c7f3d86310ac57dcf2de40c1a6 |
memory/1736-63-0x0000000002270000-0x0000000002278000-memory.dmp
memory/1736-66-0x0000000022F20000-0x0000000022F67000-memory.dmp
memory/1736-69-0x0000000022950000-0x000000002297A000-memory.dmp
memory/1736-72-0x0000000026040000-0x000000002685C000-memory.dmp
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll
| MD5 | 964f19583fa0164127ed1fe2cc606a55 |
| SHA1 | c1527b6b5762bbe5767be449eddf50b3db9d0f24 |
| SHA256 | 84e337daff3fb7bad032a273dfdc2d9fffbdf260166d4383e5518005f7601242 |
| SHA512 | bad93a91691df9c19b1f798dce9ca85b5994255f979fd3ddf5145e6e0364d3fb2d3ad9614bb56c6c35874817aba1090f3774c17900bd9ea7be5659a2ad679569 |
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll
| MD5 | 9c828f9cca7da40407bfe9521bae6402 |
| SHA1 | da09914b5a96c3ddf038e3cb176a8b5f31d71ae8 |
| SHA256 | 7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8 |
| SHA512 | 01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b |
memory/1736-125-0x0000000023230000-0x000000002323A000-memory.dmp
memory/1736-128-0x0000000023230000-0x000000002323A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabACC5.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\TarAD74.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1d3c9fc3518fe493fb5c526ab0e2e47 |
| SHA1 | 6d45fbc2768e788fc354f419ba9fcb0921fab84b |
| SHA256 | 78d9636ff91945819c36b950983a391f8f7deb63485879cfd671965efcde5a30 |
| SHA512 | 25b430ab6c26d630289e0691b985f60a3c95e913a41a2f8c9900c9f64535da4377b5b1800b76d4e1d94d256a4c906195debc29eb79f0e4088f14ff9161732ba5 |
memory/1736-246-0x000000013F8D0000-0x00000001401FD000-memory.dmp
memory/1736-247-0x0000000023230000-0x000000002323A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | a965bd9aac61c3e294d5bfff7a9e66e8 |
| SHA1 | bd2f831c210dd4e99c211fa4aae7e0892e567dcb |
| SHA256 | 778caf178b4e6d474f0774e1a770a801d1c2c939d2861a0eef95616a0fafc607 |
| SHA512 | dd4682b65a8944139b589b59848c75e0ec994d86399ea1f044a37e8c859afa23fb419a3211aa9394fa4a0f320aaf506bd41947f9d7aeb6a7543505f00bef65a4 |
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | 10e24783d7998334d58d4a26b4a73895 |
| SHA1 | 6e9c083ceab9d410700ecb8384eb30f0bb10104a |
| SHA256 | 249ddaef6e008e919116d0755d98ecd70b5148d862863a5568236b46416f720d |
| SHA512 | 24a4b72b8259dfd2f16875dcad679517896450bba9f14105f0d59ab99fc0a43f4d659746829ca95c8094f8e2823798e4faab113ebc502bdce9b8b1d7a66e7715 |
\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | 3650f7384797d5ca0748ec469a0c2bf3 |
| SHA1 | 2357776a8f0762df3bf3b338ff06e15cbae0e38f |
| SHA256 | b368ed64388a9d621859119a77d08122c366df54fb96dc850e06da25470fe351 |
| SHA512 | 866500eeb9a39ee3191d0b95f2baf353b341168aa73804a10a20215c1f1fb7ce620f3ca9424bde7288b85d764cdd1282807da46071a4535f51eb36dda5876f7a |
C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | 21b927a31564d5334f1b4f63c50f5c3e |
| SHA1 | ae31618a84feb0f7df08a5a0a5259541eda0f5ac |
| SHA256 | 8db1fa39a941807d4108fcf1ef716b69591b512db9f11ab0fba76ed863ce04d2 |
| SHA512 | e26e62f159aba42589813defd2f02950181e2500246fb756142d01f242cf85b680217ae8804e43f7e0063da1e1634740b92a1b5f32e538a9f4175c2f260630c3 |
C:\Windows\Temp\{74F6B4B3-3348-4780-988B-D6C3545657F6}\.cr\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | 90efbc4f55a9b9aad3cfaa06cb18a29a |
| SHA1 | 4329a81043869419ce52d5ff8ed637bf16f2857c |
| SHA256 | 5e47dcd5f06e6e6d3f48adcaeabeb71ee9d5708e6f7fa309c1792ece163f7023 |
| SHA512 | 081902f9b5bc3b5882b8ae2c4ff68c22d6fc5efa4ef1165a13f5adc26087c4dc3d0b5cae2f1bbf0e02efad4e3a82fa48ffde4d6f496c67abeea2e03cf3e74a8b |
\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.ba\wixstdba.dll
| MD5 | 4356ee50f0b1a878e270614780ddf095 |
| SHA1 | b5c0915f023b2e4ed3e122322abc40c4437909af |
| SHA256 | 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104 |
| SHA512 | b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.ba\bg.png
| MD5 | 9eb0320dfbf2bd541e6a55c01ddc9f20 |
| SHA1 | eb282a66d29594346531b1ff886d455e1dcd6d99 |
| SHA256 | 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79 |
| SHA512 | 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\.be\dotnet-sdk-6.0.413-win-x86.exe
| MD5 | c829733fccac1d023514b6a56647d461 |
| SHA1 | eae92bb4711c6d9e1e19ebe79b3afc2de7dfabec |
| SHA256 | fec2580479532e2a36b75e9e4d14835be00e1fb65f43166ee4b4660aae13f2bc |
| SHA512 | dd7f1299ba1db1c3ada0110dc75e91d5b68731fae7261b6c06f330354653e1ca1e8dde2150d34843b76c4066d2328fbac18f0b9ba989446c29c86ac38f507706 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_targeting_pack_6.0.21_win_x86.msi
| MD5 | 11d6c02dbbc89d3c06781a401417bd0c |
| SHA1 | 447a63505dd844a7e2ed5dc52482ca122a15cad3 |
| SHA256 | ecce41cbd7f089b2e84f50391e730f634bb31aa4faf3e3c9c913a52a6a85f525 |
| SHA512 | 1c9e172e5da67a9673024caa2a64f3c430a5be7e8c6da017af2d2cb356a05453d84ca2351efaf69fb132e5dc7f7292c94421c3d896be7054f96be2f455c6cddf |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_runtime_6.0.21_win_x86.msi
| MD5 | 4ae810529271732ce23f010065d0a2b4 |
| SHA1 | 807c3e3a2c4aaf4ad902d1a71211f696a57f18ad |
| SHA256 | 88ad6791ce8c47223164cbb34d525ea4ec30396916906475745a17013ed3c7f6 |
| SHA512 | ee933862e71db0f0fede25626378bd2dee319e9ff07216b2604b8c03a7d34ace79de4bdb06db6d69d9035f2d5d70112e49abb2f39b9143d940385d0789476248 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Finalizer
| MD5 | 1ec0ef0eb7860f069bda682b0e74df8d |
| SHA1 | 12ffab75565303e970e27218efeeb364b3ecdd18 |
| SHA256 | 2f6948e63b4c8e4493b32dedcaad3d871bd86940e160435bb794fb9be12e2001 |
| SHA512 | 9964a24217aaf610f1bcd85ef246d9f361313090e1acddc5eaee7b2e241fc441b2ddcdb305e3cbc5591a0c6566856291ff549aab1e09c8b7acf45482df1cb71b |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\AspNetCoreSharedFramework_x86
| MD5 | 837378fedd9087818fbe1e34a44b2f63 |
| SHA1 | f21d29f3825935d4686030f3a18a4792bb059870 |
| SHA256 | ff5d43836df20367c93dd76c42191527d5bd7e022d1661b68a324cf3ca86ad1a |
| SHA512 | c8f0f3c8820f9266eccfc627fac1f291fa9cbc3f4fb2852cca649d356649d3e1d7f512b23909283126d8f0d6eee0767a2d24e24a82c9e2bf9d681ee9a6d31b43 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_targeting_pack_6.0.21_win_x86.msi
| MD5 | 27e783d6d8727f717b83204ed02388b7 |
| SHA1 | 56e0d3577a3888629919c72e2356d7f1945ee0ea |
| SHA256 | fafff57eaa7b0b817bf7df6e597c7dbb2a933cdffb091dc2d6d2f2eb1bb19c9a |
| SHA512 | 108094fda94403adb2c65f1dedd32501fc2008411792fcb8c85ccab7bbb06ee61cc54bed42a2aca8c7070188e1ccabc0c7054baeb1becae848d9fbc5b349cd44 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_host_6.0.21_win_x86.msi
| MD5 | 7962d70e6e862a1c0c895249f3e898f2 |
| SHA1 | dbbf1b409d4ef0e2272bbb6b66ddc6028842e207 |
| SHA256 | c2724c3f3379558168faabe9c835d140bbce8eb4ee7b376ae1f6fb214e683155 |
| SHA512 | 89a8a816888c5ebfe7a8d19a620c762e884bdc354f2897e87bfae472c1e12537bb04204ffd4954cb86bb699dbf2fcf3f7b3e182de328a10a6e0c323734b30101 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86.msi
| MD5 | 02bceaf1e8e984cf96538e9ed1e7c32e |
| SHA1 | 981c74c27a3192aff308614225a35f206881c32d |
| SHA256 | bec33f4963730d97fbf799e497fd3003154f8548c397d720bfc721c8e1f60888 |
| SHA512 | 768abe808f9e997806afb81ddb94e705bbd36472090d37fbe3f8027f4b144c711a2f01b0e4b9d0a42656efac5e9b921c735ad97201fd17a2afbf6b0b73fbf498 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_arm.msi
| MD5 | 79e598f855ba34faf22af6c30eabb1a3 |
| SHA1 | 9e4926da5014809e7f821c2d4779cbd47b973510 |
| SHA256 | 51e0b5199d7cde0584c20befae2bd48444cd3eec1dfaf372b26633c400a2c254 |
| SHA512 | 442caef79d5df29dd0ddefe6eb891a073f019742dc44bf6d4d08beab79ca3f20ef1b3cb5e235a0c75d2accc2e87f37d547ee6d08e3c296e40803c2d909f6298b |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_arm64.msi
| MD5 | 6a284a25f91369516637a6e40271644d |
| SHA1 | e5f487864098f1124c66083dd97a5e7832126522 |
| SHA256 | e0e38524a41e01e4986b1886a64fdb57ff1c4b8193a53c24e5e57d0a359f1c28 |
| SHA512 | d48a7081dfead76d175f9e5f30ab52eff65f2f75fa26f12f1a93f1599b8efb3bd302fb1821de1ed494aec4e7b8678b9ba1c238faa8b5e175a38d6f18eb5773ee |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_apphost_pack_6.0.21_win_x86_x64.msi
| MD5 | 9491ebd4c04097691613188b3d21b928 |
| SHA1 | 5136da2fa97a25cb3d4f30ce33d3c3447e92d2dc |
| SHA256 | 8b6bf74d99d80494d2b0e656c91e51126e35e14bc0065817e4e75e1cec9a6c56 |
| SHA512 | b22dfaf2f937a9de66ff3dc7d56b5e7fab0679fb64b50a91fc334938a38e9dc87c35d2a02281580f15b4d386f953b80d750d9432d9746c30b7f07f40f3f3ae37 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_hostfxr_6.0.21_win_x86.msi
| MD5 | e92a19cba6efc356b1c51fb9e53cc1ee |
| SHA1 | 6f475b4278c0963a9b69efc47abc8896b0c20208 |
| SHA256 | 504f09f5815c51b04d7c83d904604aabd70b8678b9fd1fe886288060af5ceef6 |
| SHA512 | cf3b3d79f8785b144ce7d2ac7552a1c2fc7f070445adc8d3e4e7793e99a48e288042548f421bc600595e9d3c99c3def8afdb0010adb6e510edbd6d0df23cf807 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_runtime_6.0.21_win_x86.msi
| MD5 | 7cbf8309bb6f5390c3857e96fe95510e |
| SHA1 | 160b612bad5da367b3cdf22892a4dc57928ee804 |
| SHA256 | ee9bb3f12fb98a7c67e329541679fd3cfbb725f0b97d9bf488cef33c8a07056a |
| SHA512 | d0021d1bedf60fa7fa475c4b3ad101132e860c458760a6cc37e43a202dd55aa189ec1c979013488e0c874dea703aca12f42f69a82ba844052809c9102235e252 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_60templates_6.0.413_servicing.23367.26_win_x86.msi
| MD5 | b6dbee782949b991e22f216efe56475a |
| SHA1 | a313e95e724554338293c6d44954b0c2a3cf8a63 |
| SHA256 | b7bfbab92c43a3116983ab5ec463a895e35b67386e9408360d947393adeb81a0 |
| SHA512 | 9c9fb07e458cf85ceaf7a6203136dd98b491db5bbe5496d69d334bcf5054e481f251c6fd83fc196df9b79fa906c71ad9d12d4265f3d35a0646b4c4d096883aeb |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\netstandard_targeting_pack_2.1.0_win_x86.msi
| MD5 | 1efaf25a241ebb22082bb327590d0975 |
| SHA1 | 0af235a15257eb55d19e0fe635df5ffde02ecbf9 |
| SHA256 | 194aff09b53c8f18ac8410c43dc63f678729906a39ea45efc5e1f538701c8031 |
| SHA512 | c68b3295e854fb800c0d065bb044b640309e48bfa1a3ffefb459761e40ca9cefe115db09688a9309eb699ab616f837a4c69f839517d1538c33259fa38f5c7204 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.Maui.Manifest_6.0.300.6.0.312_x86.msi
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Workload.Mono.ToolChain.Manifest_6.0.300.6.0.5_x86.msi
| MD5 | 1155dd7272a534dd403520299023a012 |
| SHA1 | e5eb9fd3d8ba6855b8dc346b1a9f4ff981f5493a |
| SHA256 | fe7be499cb7cbb90c117ad16403f6a71b8c4a036d2b1e6aba237a1220e7a31f0 |
| SHA512 | 07381caf6a1bdff9cc45b86da9a2895fe2b91ac6c3d00305cccd283f0bff2c669b51231d128887399402426787d7d5c3d4537c65ee2327a00a985125b43a579a |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.tvOS.Manifest_6.0.300.15.4.303_x86.msi
| MD5 | 838989470eade37ee5a7674f582f494e |
| SHA1 | 80bda03eff3f223cd50b6f747a19edd1e047ebfd |
| SHA256 | 71d07c2a35b4cff43e46989c21c1a682a016c2ff9d5cafbac911e061868bab05 |
| SHA512 | 92c5850eec4d9d06678e23f2f1e926873a797dbd74472992c238e3b6b7184812581f594406c5b070fc4ccde1d01ed1cd3aa4d51a106a2f803602a4cec332da36 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.macOS.Manifest_6.0.300.12.3.303_x86.msi
| MD5 | 537d4cd0bac3d41f9b736eea6fd8e055 |
| SHA1 | 4496ec4490cb5e840bbd3a9345c024b926f861d4 |
| SHA256 | eda4b2f6d762342df60709866fbf107a6c86feda0795fd3c2624e9b8b550df68 |
| SHA512 | b147950b3ecb204035cd300f8d2efe4e185852b4513d2017c40fc227b1943a46c1ac1a32ab46b551d0729184950e0ea6fe7606c0a6b2031b88faa21dd0b88733 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.MacCatalyst.Manifest_6.0.300.15.4.303_x86.msi
| MD5 | a5979d34f92f39d27a21d8163583862e |
| SHA1 | 1203352b2c68f873648a3ebbad6b83cbe00a0822 |
| SHA256 | 9f9a931214de020a6be34633bf9f5e22d616ad7aaa10563144cdf8189c4bb17e |
| SHA512 | b0cfa77b9f207ed25e8dc17e7922b3b5f6eb419f3a393eb7505a6a9800fdb6a8eda568efcaa7c89d6cf52af024277158242f59563ce0396280c90a2c0dc57feb |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\AspNetCoreSharedFramework_x86
| MD5 | bfd60e4899f9da0979c941250d1a39a6 |
| SHA1 | 94a9046c2d1c82f7b2f8b3dc13733eaed19a9052 |
| SHA256 | d835610f44f988da5e778092cb67dcf3f4e99939cd64cf4d8f03495aec90017f |
| SHA512 | 2c110f8fefa2368b0cf82d68bdefafe6b22d62eac6175e84a50c7c96937b984392b13d7d193c7cfeabf229e3ec738c193f8d370fe665dc82584d0f091868ccec |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.iOS.Manifest_6.0.300.15.4.303_x86.msi
| MD5 | 4a484398b36dc8963ffb67f766e03762 |
| SHA1 | fbc28848efc8a689a314989d18de9535b9a98834 |
| SHA256 | b71d62cf90dca091ad3a114725e6610bedd21bcae33bb44dd028430f0dcbe2e1 |
| SHA512 | 3ac43f404a9da83d86f782a15cb16c1867125720b574e26cf79e5bfe929d94f42a6923135d4691160a3af5a0914b070d28589844ac3669015b218da4ebe9b20c |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_000_dotnet_runtime_6.0.21_win_x86.msi.log
| MD5 | 9d109ed7ca215b329f5ee5d5d7a54faa |
| SHA1 | e009721b8c737b7cbad56c40cbdca7d5ac560261 |
| SHA256 | 1a1043b4d9cf41f18e54d4e5f3e78dc9ec86da638d4aed503ded3493b3326c2c |
| SHA512 | b8f58b439df5bce5ed45f9b3f5a17aed28eca8169c76b0acb5cf957a9b818a6b79fc887ba402fa6d7209adc59b84f99bcafbf2723bb4b20f6c5ed7871232adf2 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\Microsoft.NET.Sdk.Android.Manifest_6.0.300.32.0.301_x86.msi
| MD5 | f89935184c813d483df9900090d44b29 |
| SHA1 | c44654235a8b77c7f0aef4ad3fc9b18548861d70 |
| SHA256 | d8bdc2cb852f490f88f6a4e0d037727ed7b8ff93473f2d2902f5117aeb4a814b |
| SHA512 | 618f7b7c53eff3a1981ada3ef9082ed72f97ae1cac4816d831439091d39c340527e740c03f0cd7e0ed46ad65aec824e7e4285546f4b4e078e6625a4828c9e988 |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\dotnet_sdk_internal_6.0.413_win_x86.msi
| MD5 | 5557f878e383c3a2e15e7c1f100b04dc |
| SHA1 | 12f208e29ac67679839a91e4fcaf5272547d0585 |
| SHA256 | 30151111dc5d6a477ba5184fa733843d80cc387a0e2fa4525baff83f1ca21a1b |
| SHA512 | f69fcf505c612d67e79bd064351780c2f2c36b3979bfb8551723541b753e5e590e809bd121298cf93abe9e2d88e070ee86ba0cad273850f38a3dfbec8f4973a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b46b533e597f6c546254d386e087096 |
| SHA1 | 9ab64f29ed592a4a81a7e7218950ea9758fbc059 |
| SHA256 | c33d79cfc5401d6ffd5f8eb55c957d28b5db6ab79c4d7a5b405ba6c36312c940 |
| SHA512 | 3ffff408fcd5bce22536bd094473d82346216eb491edd20ffd5de0a707ccc02fb4ea97a25141523217d0534e18552f28c57e4e97a4a28e6d052237ac37179e2b |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\aspnetcore_targeting_pack_6.0.21_servicing.23364.38_win_x86.msi
| MD5 | c98f9004ee5f2edd79d44b5b832a912f |
| SHA1 | 1fa26d5bfbdfebd83684aba4dc89f451eaadb02a |
| SHA256 | 4c2de39415b2f2bff47c179a985fb54ea97a9f816cc8f95b3a59abac3d875ce9 |
| SHA512 | d1e517b6c4b6b60586d9025fd300d35b0b879d72be5dd3dee9d3884cef9cc502381a36c60b70b2673a9773a1ea13e7476d23eb9c33c62f9c18743e41d6bd18bb |
C:\Windows\Temp\{EA182E3A-E634-4740-8F25-A00D9654E830}\windowsdesktop_targeting_pack_6.0.21_win_x86.msi
| MD5 | 08365d12500d2cc334778d2972ffaddd |
| SHA1 | a5c2a093019be9eaa3efb5f9c37f83b63d502196 |
| SHA256 | 20c74ab102820bacd3f6a3ec6fa1b972063df3347a28dfabd451c3ce07736227 |
| SHA512 | 2a89442dd7a06fcea985b032a4ad862819579067e28db79aae3382b1393ae608b041dce2fd3edf3a94570219d0aab943db678c951602ab7bb39d96366d0def11 |
C:\Windows\Installer\f786ea0.msi
| MD5 | 3761aaad9124eb5f67d7f2f578804f1f |
| SHA1 | 51d9a0f7d1079cbd4f9609c1df6bd3e55155891a |
| SHA256 | 47026c325a71d5a3ec300eaeac59678c7814852375b052e3f1c78db490e13a3d |
| SHA512 | cf19f410da3cc7cf76979ad4bb266dfd7a0f01cd79a407c3865e0ec421be33e6503da6048b235b5841f8eeeea44274a952b2b25e69bc92ec9ec04c90d08c5d6f |
C:\Config.Msi\f786e9f.rbs
| MD5 | 10fc7bf80afb651f0da3b5281bc05894 |
| SHA1 | cd5b4af957e8823ba9ae403be1b95e7ff487854d |
| SHA256 | d435c03f8b11a435f2c41ad5191ad4ff14306807baf79b2cd451443c7d2d601e |
| SHA512 | 12d43e0519011bd468167bae0c5943a6611b2e0978e77df98d394ded6d84735dfd64ba5daa04e63626178a7fc71433f23d1f323a853804f2e65bb0b1daf8d0e2 |
\Windows\Installer\MSI7F16.tmp
| MD5 | fbc9f717b1b642e20b9be87ab006a74f |
| SHA1 | f0ee0595b5ef58ff26c9f8ab3162d32786ad16b3 |
| SHA256 | ec7b8b484679e648cfae140f153613fadf5c36eb97f524f2e8001b8ac83775cd |
| SHA512 | dba0c517c974fbac7257e4f0ff5eb23e91b380cf47af748c814631271efc446af949f83d9d517925fbd571529787f122f6d56a541ce61c665ed9ea9138c65106 |
C:\Windows\Installer\MSI7F16.tmp
| MD5 | beb7eb2acc845e6de562805ac9323d19 |
| SHA1 | 6d0923496fe3e144978b7cb27b157e77202e7841 |
| SHA256 | b2195a6ec525b33d04c6e99ffc5f163a1ed880cbdb3e44a120504c48a7433348 |
| SHA512 | bee5655a0dedcecff1c059649cca772b87a6449ef0be526617cc14db1b82e434e065bb2d98b2090768472c890c337249e7d622ee918595ee9e697721b3cc1f0e |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_001_dotnet_hostfxr_6.0.21_win_x86.msi.log
| MD5 | 6dbef3c5b4215e547f8bc7e82188a627 |
| SHA1 | 4211d869a50aa237d49246f2f18c638fd685666c |
| SHA256 | 5571d54bd93699067d68bd62c8f813d64f02d48b362c3b86fe04c28ebed15b8b |
| SHA512 | be5f4e481d85902d751805e0c41e32aaf75d7243196b79a96c03ee89fc364260a804cb53cb98ec078a3f1a9893089884ec013b62a24dd71fef21f002ef2f43be |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4eefdb1f0dac1495fccb110c64fbe4b |
| SHA1 | 27f9a1d1ce5068006f7b018d8971b6762a3b42a4 |
| SHA256 | 91afd902690d50401eb6bfc21fbd2ccf41c9661a29e7f2e45b4ad9c2924b13ee |
| SHA512 | 50cb7c703a122fc58462f947d797b2d448f4444883f458cf59fcecc22da7420bff5d7665b91b793b1b24ea86144c6255f00f8a5c618098ec5accc2787b23fcd3 |
C:\Config.Msi\f786ea5.rbs
| MD5 | dd4d5563a4df8996c2c87027e5e6d88b |
| SHA1 | 4280c49751a1d13f6d68887548bd561c7118474b |
| SHA256 | 033d49adcdfa175fac80f07b51eecbd8e31fcba00c4509c96633d1b0ecf3a109 |
| SHA512 | 1000fb487719a8c09a2403c9f6d1914ced89ad5d93721907dacff7d2836cec4d14ed948a026a9a70fdc0030e5261bf648f80d7bab13b32bbb761fc3a8bde6c6e |
\Windows\Installer\MSI84A8.tmp
| MD5 | d711da8a6487aea301e05003f327879f |
| SHA1 | 548d3779ed3ab7309328f174bfb18d7768d27747 |
| SHA256 | 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283 |
| SHA512 | c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_002_dotnet_host_6.0.21_win_x86.msi.log
| MD5 | aae2fc82ec42a7724a462ce2ad885cea |
| SHA1 | 6764a3584ef963a769c81965bc5e7f25e371a79f |
| SHA256 | c1cfc712f9e7c85f26ca5901e5c86b177d5f88cc6ae025054c8e530ada4dd102 |
| SHA512 | 45dfd364da062aa216004f8dc59d0489531422b8b9e5e3be3667561380ed1e4159d0d950c36c9f1c04db527ef2ada6960ad0b9e1a53ff0823269a0bbc1a4c5e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aeafaf2cd2a1b218699d195434176520 |
| SHA1 | e0fc3b32f6669ed83bac483a14fe7f7fcf695ac8 |
| SHA256 | 35815e59c7129a726e570c8052742a060600c634a94ac890ae78cc9c9ea92c19 |
| SHA512 | d91381bec72e4d8535dada5ff4b6bdde9e97cc3ed840bed29e066186d76ff55938c68be52668f33536bb22a1a4594f11d699936a3b8f4f42b8b704d82571f5c3 |
C:\Program Files (x86)\dotnet\ThirdPartyNotices.txt
| MD5 | f77a4aecfaf4640d801eb6dcdfddc478 |
| SHA1 | 7424710f255f6205ef559e4d7e281a3b701183bb |
| SHA256 | d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7 |
| SHA512 | 1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b |
C:\Config.Msi\f786eab.rbs
| MD5 | dfcdb3b1a2e8591d339b28ff37106cc2 |
| SHA1 | b75034c5f726f649d7d0cd967fe7457cc8e786cc |
| SHA256 | ccfac8631b3f1f20b94b3b717e93f7e702f333f48350f0c59c2d0b36bd84610f |
| SHA512 | b9bc3a0e252d905f08bbfc533b92256ec4d84ccccd10901267cba3a40f09d047c427ca4c14bde33dab8c2eb116d96168739bacffbe7ec479e6ef959109091729 |
C:\Program Files (x86)\dotnet\LICENSE.txt
| MD5 | 31c5a77b3c57c8c2e82b9541b00bcd5a |
| SHA1 | 153d4bc14e3a2c1485006f1752e797ca8684d06d |
| SHA256 | 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d |
| SHA512 | ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_003_dotnet_targeting_pack_6.0.21_win_x86.msi.log
| MD5 | 88aaf7217d8fd4ee55dcfc80c61d992a |
| SHA1 | 77d82d449e5abffd4264f6908fbb37d4fb875c01 |
| SHA256 | 95f9d02719215bea8283a6fbb5132e733dd48a0ff8e4b1798bbd294c3c713cf6 |
| SHA512 | 26b75c2aa98c535ca380ec5a43a3f75a9d9b32991085891022ee07c4d735aaccbbfd4736ca026a622739bd0e2caf7f48cdf5803d82e913cd51b7e35b9f49b58b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18c58e12b94a7537c7f5955dac063330 |
| SHA1 | 4949ee1f251a9eacfde71e564a620c8db44a58a8 |
| SHA256 | 18c2ed6970780886d9a9f8506d916456299604471f541f14205afde046fdccfd |
| SHA512 | cb4a7f95b8f55f19f4d302d3ff9fcf1cb3cfd1466d04c978d3f99f3b1f9be026a9f125af6a590286db3a9c180b4cc310007d7be2ffb2cdd43cac3fb4b6cd420e |
C:\Config.Msi\f786eb1.rbs
| MD5 | ca6a191e017dfae8e9a0de521235b9f6 |
| SHA1 | 323ddd0987bb6d27d2362f579f96130ab8b9713b |
| SHA256 | d6af23f501fc5ff3384d1aafa85cbcda728491eb23aba2bc82b56efb804ebc2b |
| SHA512 | 7c18e1b0ce64f7ec020daca7c86da0c0bb75a49b9440646597c49bda42daf5d4a4c9251282022351fb0166caef89a1a799273c3e3cd364b5a36aeec1962a2e16 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_004_dotnet_apphost_pack_6.0.21_win_x86.msi.log
| MD5 | 593310aede52e46734a6b1794938a043 |
| SHA1 | b5c47256426deb851271d57114243f8c825b7b89 |
| SHA256 | 07b0bfafbfbfc3f439599252b7ad16183ccf20cdf8ab8104ee639701b336b027 |
| SHA512 | 8d17ed0399198bdc884022684de2ed910628652f715f30b5d504241814dd5e6c8006b2ce2dd252d21e4855bfc7e6225ec7d881a673714e1641a406a3e166878f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f94a05f5a43e64465deda4b7f0c45ed4 |
| SHA1 | 09a7141120165043b8952dd067414a19ca1ee570 |
| SHA256 | 6332b14aefb9fac2886ac5ccf007a6cfefd3b4b5dc4de129895b194ecb2f84a4 |
| SHA512 | 5eb4d7884eee18d4e4ae37c7887ea7c34e9ced782704a9ba9fd7a2d27d06284b464ec8eb1417ef7d8f52b1e96063ee26b362fc8d60d72e44ed7d733ecdb6fe88 |
C:\Config.Msi\f786eb7.rbs
| MD5 | 00bd931eaa1c34500f6b83c36c56afea |
| SHA1 | 16865b057dd9ead3e9403c29259596591edead82 |
| SHA256 | 257164b5ddff108f0668d43417e367c42ab2977ec5cf541d841703824a5f8ed5 |
| SHA512 | 21549b09fc60131131a6ffbb11fdff82e877cda65fae23fa7d437a0fe60b60983069650dda943afa347ba7faae78856b7c7b4bf7a5f65de64379744562b21292 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_005_dotnet_apphost_pack_6.0.21_win_x86_x64.msi.log
| MD5 | bfd6c717475f72089945a2cfbb2d87df |
| SHA1 | cab86e52d3936377a22bcb24743d956ce2d1ec63 |
| SHA256 | 42f9ba015d05dc76071f20bb94db24d5490a1c7f31686212fcfea826f5fb5be1 |
| SHA512 | aa7a44ec6a42f035bbedf625f9c2d52cbff432a14a41bc8aa3ce781c09ba99cec2d335ef36dd09298fa685a1e56b0a324d2b150d143777d6d22259ad1ba61599 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e40d537941cfa0b247f112f14046755 |
| SHA1 | bfeb2588aa40a3d8b1dcc079980695da46c3468a |
| SHA256 | 8be9d0d0da43e20d1ddfbbe0f17868f7d4c6086e7097c11273f1e85f96893363 |
| SHA512 | 1dca620d4945c74ce739759ecec10de006bd2c88721c0f5c8ed081bd08d1650ed82814fbbc2acac7e8bcd42d95e29f704d5e27e00d3111534584a672a5028c39 |
C:\Config.Msi\f786ebd.rbs
| MD5 | c0654fc31e76791013ccfa848dff56e0 |
| SHA1 | 1f464ecda4687604314be9d3ca03f9505cf7f4db |
| SHA256 | 2fdab077dd252fcf750fc6734a5db5540136d58b74c57a2596d5549c0cf4770d |
| SHA512 | 985f8db1652560a154a128076ad5b23c378b7ccbe63f8a240fbb5ed0ceb31762e4ced1bc3acc8ffcf530d41377801d06b23bac6e497ea1c1da1a9008a985e5d0 |
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_SDK_6.0.413_(x86)_20240222181333_006_dotnet_apphost_pack_6.0.21_win_x86_arm.msi.log
| MD5 | 56468f125862d8db8aa750d64e456aa8 |
| SHA1 | dd64522567ee2613555936a802372cc90204fa80 |
| SHA256 | b4cb414d6feddceaac1ae8d6918642942f6bcfa0028e07ac09b28cd4dae5c6fd |
| SHA512 | f198e176f98c886814aec7f2e41bad297ed1d2f5f74be1924e676ba63af1ad141fc925f04e5a692ec1809a9c3a695e12aca2116248cbf51bc6765445c3535dcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c46d1d5c46721bb9075b49249ebfeae4 |
| SHA1 | 98ac377d2236ba877db27d8569d7a3a400259839 |
| SHA256 | 8d8e363e2b268d82638e33129686ee364c632175503f1cbf4a9c919a5ab41d61 |
| SHA512 | 8911bc92f146e90b541d81127892750352b7118bfdd7403cba7437c5d9c8d540562fcafe29c45db8700007da8456145e1a78675f1b4ead9a1ab61ce97fe751aa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 18:08
Reported
2024-02-22 18:14
Platform
win10v2004-20240221-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce" | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000086aa1aaef4cad2bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000086aa1aae0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090086aa1aae000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d86aa1aae000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000086aa1aae00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33135.0" | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135" | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165} | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}" | C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
"vc_redist.x64.exe" /install /quiet /norestart
C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
"C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /install /quiet /norestart
C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe
"C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{472BD820-B034-4B98-8F6C-C966D0298679} {57C6BF00-3285-4967-BF72-F091D99D4408} 3860
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 3860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1236
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
"dotnet-sdk-6.0.405-win-x64.exe" /install /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | launcher.novafn.dev | udp |
| US | 188.114.96.2:443 | launcher.novafn.dev | tcp |
| US | 8.8.8.8:53 | nova.blksservers.com | udp |
| US | 67.227.226.240:443 | nova.blksservers.com | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aka.ms | udp |
| NL | 104.80.230.57:443 | aka.ms | tcp |
| US | 8.8.8.8:53 | download.visualstudio.microsoft.com | udp |
| FR | 68.232.34.200:443 | download.visualstudio.microsoft.com | tcp |
| US | 8.8.8.8:53 | 57.230.80.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.34.232.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/4220-5-0x0000000180000000-0x0000000180A25000-memory.dmp
memory/4220-9-0x00007FF628C10000-0x00007FF62953D000-memory.dmp
memory/4220-8-0x000002CAA2AD0000-0x000002CAA3A58000-memory.dmp
memory/4220-12-0x000002CAA1D80000-0x000002CAA1FA8000-memory.dmp
memory/4220-15-0x000002CAA1FB0000-0x000002CAA210E000-memory.dmp
memory/4220-18-0x000002CAA1BB0000-0x000002CAA1BF4000-memory.dmp
memory/4220-21-0x000002CAA1C00000-0x000002CAA1C3E000-memory.dmp
memory/4220-24-0x000002CAA3A60000-0x000002CAA42A2000-memory.dmp
memory/4220-27-0x000002CAA2110000-0x000002CAA2190000-memory.dmp
memory/4220-30-0x000002CAA1B90000-0x000002CAA1B9D000-memory.dmp
memory/4220-33-0x000002CAA1BA0000-0x000002CAA1BA5000-memory.dmp
memory/4220-36-0x000002CAA1C60000-0x000002CAA1C73000-memory.dmp
memory/4220-39-0x000002CAA1B80000-0x000002CAA1B87000-memory.dmp
memory/4220-42-0x000002CAA1C40000-0x000002CAA1C59000-memory.dmp
memory/4220-45-0x000002CAA1CA0000-0x000002CAA1CB6000-memory.dmp
memory/4220-48-0x000002CAA1D30000-0x000002CAA1D70000-memory.dmp
memory/4220-51-0x000002CAA1CC0000-0x000002CAA1CD8000-memory.dmp
memory/4220-54-0x000002CAA1C80000-0x000002CAA1C92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll
| MD5 | 607039b9e741f29a5996d255ae7ea39f |
| SHA1 | 9ea6ef007bee59e05dd9dd994da2a56a8675a021 |
| SHA256 | be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369 |
| SHA512 | 0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50 |
memory/4220-60-0x000002CAA2290000-0x000002CAA2384000-memory.dmp
memory/4220-63-0x000002CAA1D70000-0x000002CAA1D78000-memory.dmp
memory/4220-66-0x000002CAA21E0000-0x000002CAA2227000-memory.dmp
memory/4220-69-0x000002CAA2230000-0x000002CAA225A000-memory.dmp
memory/4220-72-0x000002CAA64E0000-0x000002CAA6CFC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll
| MD5 | 9c828f9cca7da40407bfe9521bae6402 |
| SHA1 | da09914b5a96c3ddf038e3cb176a8b5f31d71ae8 |
| SHA256 | 7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8 |
| SHA512 | 01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b |
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll
| MD5 | 03a60a6652caf4f49ea5912ce4e1b33c |
| SHA1 | a0d949d4af7b1048dc55e39d1d1260a1e0660c4f |
| SHA256 | b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3 |
| SHA512 | 6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4 |
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
| MD5 | 9869746a0f9ad13ba9cd9e4a942896de |
| SHA1 | d114255b271ebdbb6d29c1898bf78ccecd92ed22 |
| SHA256 | 3bb6fb8a9ec7dfb576316dad2057f6015a1bd3362c5bf8ca6d76fb8304aaf2bb |
| SHA512 | 87cb6aa67a164f7acbf40f84bbe221cbf8a5861d6b9b8511dc94588643664448c8b1d34b95acf9014eb43d9e24b5bd93440d073e8b28201676e61168344e5c2f |
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
| MD5 | 6d7b8a872106bc27873d6b612f5f39a3 |
| SHA1 | 24c85bd8887dc078eed4411fa5b83ffb19ff92c0 |
| SHA256 | 7c0928de9ba2c9dfb3f2d573d8126b048e422f01c1549dfb39816a528f7cae48 |
| SHA512 | b77bc1f339db44c30a976127f59412989b53b045e399c08428557058159f2030fbc901e2843ed904d3e716971611a2283023004855d99b2ced9e6a7c7b2086dc |
C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
| MD5 | b73be38096eddc4d427fbbfdd8cf15bd |
| SHA1 | 534f605fd43cc7089e448e5fa1b1a2d56de14779 |
| SHA256 | ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a |
| SHA512 | 5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603 |
C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
memory/4220-246-0x00007FF628C10000-0x00007FF62953D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | a0771e2cb6ba8b02851a079de72dd5a9 |
| SHA1 | 8f57f6aa30cf12c89d5778fe304b9e572e21ba32 |
| SHA256 | 0b56c725d8ed505390fdf69c9ee71fa86487e12dd4ba78f371a5a2b4cc7bf4be |
| SHA512 | 53d2a52698919e92468fdade279d809f04bbcd7c47333437a0faaad137986ba96172c922af5cb31dada0d71ce682639c080834ce67a305ec57348df3ee642106 |
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
| MD5 | 9206f265d5494890973e3595d4f36be1 |
| SHA1 | 3eab95b3ca683711be99f7c4d21d1f851adf3c63 |
| SHA256 | 12bddfb456ab20be1040a82fa8a39251826e720093dcb08c92796f8a4ac93471 |
| SHA512 | fd1a75c22cfa758ca5abc8de689dd9554a695851b715b8200ed9978a15518d3fe2513ee76427a2b33ee39b7b91037c3e8e2562a966814000b8af3c71caea5996 |