Malware Analysis Report

2025-03-14 23:07

Sample ID 240406-3z1srafe24
Target windowsdesktop-runtime-7.0.0-win-x64.exe
SHA256 126da8120849613fd9c88b37256486b37fd100158846bc05e651dd053634ecfe
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

126da8120849613fd9c88b37256486b37fd100158846bc05e651dd053634ecfe

Threat Level: Shows suspicious behavior

The file windowsdesktop-runtime-7.0.0-win-x64.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Blocklisted process makes network request

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:57

Reported

2024-04-07 00:00

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{01b47e23-4226-4094-9c19-400f12efee57} = "\"C:\\ProgramData\\Package Cache\\{01b47e23-4226-4094-9c19-400f12efee57}\\windowsdesktop-runtime-7.0.0-win-x64.exe\" /burn.runonce" C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\createdump.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\zh-Hans\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ru\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pt-BR\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\PenImc_cor3.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Security.Cryptography.X509Certificates.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pl\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.ComponentModel.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.IO.Compression.ZipFile.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Net.Quic.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pl\PresentationCore.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Net.Mail.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.IO.UnmanagedMemoryStream.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Reflection.Extensions.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pt-BR\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Diagnostics.Debug.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ReachFramework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\System.Windows.Controls.Ribbon.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\coreclr.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\it\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\System.Windows.Forms.Primitives.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pl\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\System.Windows.Forms.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\PresentationFramework.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ru\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ja\System.Windows.Input.Manipulations.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\System.Security.Cryptography.ProtectedData.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\System.DirectoryServices.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Security.Cryptography.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\PresentationFramework-SystemData.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\zh-Hant\System.Xaml.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ja\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\hostpolicy.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Numerics.Vectors.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Runtime.Serialization.Json.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\fr\System.Windows.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.ServiceProcess.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ja\WindowsBase.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\ReachFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\Microsoft.WindowsDesktop.App.runtimeconfig.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.ServiceModel.Web.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ja\PresentationUI.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\UIAutomationTypes.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ja\Microsoft.VisualBasic.Forms.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Runtime.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\Microsoft.Win32.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\WindowsFormsIntegration.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\tr\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\System.Design.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\de\UIAutomationProvider.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\it\UIAutomationClient.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.ComponentModel.DataAnnotations.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Net.Primitives.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Resources.Writer.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\PresentationFramework.Aero.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\ko\PresentationFramework.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.0\pt-BR\UIAutomationClientSideProviders.resources.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Xml.XDocument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.0\System.Configuration.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f763e4a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e38.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI45DE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e44.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e49.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e4f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e4d.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e3b.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e43.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e3b.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e3e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4864.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e47.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e38.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI41F4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4832.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
File created C:\Windows\Installer\f763e3d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e44.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A5A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4DCA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e3e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4ACB.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e4d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI52DC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763e41.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e41.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e47.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763e4a.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\31 C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64\Dependents C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.3.50341_x64\DisplayName = "Microsoft .NET Host FX Resolver - 7.0.0 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF49CB8FC0FF6224EAA01891069FD37F\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\BD5A978AE6A585D43068C1C91FEC95A7 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{192E20E1-D873-40DC-9D0B-0E46E651C583}v56.3.50353\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64\ = "{A17DDA5A-F944-4E22-B578-FB860C604D21}" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_56.3.50353_x64 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.3.50353_x64\DisplayName = "Microsoft Windows Desktop Runtime - 7.0.0 (x64)" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\PackageCode = "F42CA9F75EA7FB049877DC9EFC57BF02" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{01b47e23-4226-4094-9c19-400f12efee57}\ = "{01b47e23-4226-4094-9c19-400f12efee57}" C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DF8346EBECD8FC64698728A560D4AAAA\Provider C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1E02E291378DCD04D9B0E0646E155C38\Provider C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\ProductName = "Microsoft .NET Host FX Resolver - 7.0.0 (x64)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1E02E291378DCD04D9B0E0646E155C38 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF49CB8FC0FF6224EAA01891069FD37F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\DisplayName = "Microsoft .NET Host - 7.0.0 (x64)" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Version = "56.3.50341" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{01b47e23-4226-4094-9c19-400f12efee57}\Dependents C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64\Dependents\{01b47e23-4226-4094-9c19-400f12efee57} C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\Version = "939771057" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64\Version = "56.3.50341" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5ADD71A449F22E45B87BF68C006D412 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5ADD71A449F22E45B87BF68C006D412\Provider C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B98C89FD9A65B5575370103EAA1B7303\A5ADD71A449F22E45B87BF68C006D412 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.3.50341_x64\Version = "56.3.50341" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\SourceList\PackageName = "dotnet-hostfxr-7.0.0-win-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DF8346EBECD8FC64698728A560D4AAAA\MainFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B98C89FD9A65B5575370103EAA1B7303 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DF8346EBECD8FC64698728A560D4AAAA C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5ADD71A449F22E45B87BF68C006D412\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{A17DDA5A-F944-4E22-B578-FB860C604D21}v56.3.50341\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DF8346EBECD8FC64698728A560D4AAAA\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF49CB8FC0FF6224EAA01891069FD37F\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{F8BC94FF-FF0C-4226-AE0A-811960F93DF7}v56.3.50341\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1E02E291378DCD04D9B0E0646E155C38\SourceList\PackageName = "windowsdesktop-runtime-7.0.0-win-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.3.50341_x64\DisplayName = "Microsoft .NET Runtime - 7.0.0 (x64)" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2476 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2808 wrote to memory of 2464 N/A C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2896 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1128 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 2532 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2280 wrote to memory of 1508 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe"

C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe

"C:\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe

"C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.be\windowsdesktop-runtime-7.0.0-win-x64.exe" -q -burn.elevated BurnPipe.{08B8FA41-4A0C-4287-B097-7C756572C5C6} {09CF128B-4190-477F-A19A-43C6A7A87D14} 2808

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DenyApprove.snd"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 89AA85A374E985DBD427F32759FC8118

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 1CA05FF3F846810357C08CA71786A94B

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding B19F12AFC41BFCAD781D51F4EDD047C0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 890EC4D081385EC715A453719698D9C5

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:80 www.microsoft.com tcp

Files

\Windows\Temp\{FD18CCEF-673C-4849-88C5-FD8DD630703A}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe

MD5 2f3c0c475e5482f29856b4581cc0aec0
SHA1 0993859b58412d869d3698fe5d71efb401466901
SHA256 21629bb67fc580f38b2a139489e347ba53674b08cf6d16052a832396ed1a1ca4
SHA512 2d6bbbbf7322a04f729edcfc2831e5b78a5f3b89590476f4a439ee5f4e47ff0efeaaaf02a678b0c78824c218d12ed4f83c5f7ba43b61bb6a5395dbba8b31aee9

\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\dotnet_runtime_7.0.0_win_x64.msi

MD5 77498d5e68f267c27e6a2bfaca11a8ef
SHA1 3eeb8d2d1ee86fa0bd5f765ae788e39b491c4071
SHA256 8a3daaecf1087077c10399d0f68864eb64b3819782eabbe966f9973673663383
SHA512 45ff9f076091e4d9b85cc886116d43162330a936ee01b400e18d2dc154e71afca6765e0f5c88f1ff050f58d97813b6f1ec64c762e5e2670176efa7b2c845e71a

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\dotnet_hostfxr_7.0.0_win_x64.msi

MD5 8da84e8ad0de2574b6f90cb2d2825ddc
SHA1 76d6b066c5e6d00fefbcade716b8c7516a57022b
SHA256 aec5f0329b10a8fa95f8eb31e1f6882a2ef70d577a122f56afe3ce7ced3c3118
SHA512 1a1192eb5c6c71e50cfcd9fd2a069122467edacf180fb3f5a63b1710f8ab1b3876312769fa45c7c1cb19ad6136c3096fae45cc2250f7ca9b0d9e8f38539c28b6

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\windowsdesktop_runtime_7.0.0_win_x64.msi

MD5 2a796e7a948889112732f1828b5f3809
SHA1 33929b4e50ad658ab34bb1319c6c7295a950bc5c
SHA256 a7d03200b5f9bdb5c94dd9e538c241d58bce42c3a0870bb2f22630bc9c108edf
SHA512 84c97519d7bd62820ed6f9c04ef15757149acaeaf0e68ec0df7649a7eb7c2f9c96966fe0ea389a0761bebfa07b91eb017def6624b2a8cdd9dd2e935ddd1164ba

C:\Windows\Temp\{DF5D2445-F04A-48BC-92A4-41D0F5753A97}\dotnet_host_7.0.0_win_x64.msi

MD5 e273ccc016d4df27cb4c3a27c88e7579
SHA1 fadb51933a85c83a6beb66120ca70edc30e565be
SHA256 21739522837cde0571faa19ff3ca2c5fc150d52dc02d18b2d03c4d6afe074bc7
SHA512 35f7b9adb7fa1ee89670b8aa06be6ec2853b7feafcdf6a769656b4204be72eb4da1c40af0eec2f0d4875139149e10fb91cbcdaa2223aea80d286af4a1e4fb5db

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.0_(x64)_20240406235819_000_dotnet_runtime_7.0.0_win_x64.msi.log

MD5 891a39bbe06aecdc69d3403f0abe43c2
SHA1 b681526264776a77bf7dcccf76077d89fb0c440a
SHA256 74b20734fcbe7c33897e79e7ffe29cb451eff2d9f44aa5d2081d5ce750e1b2c8
SHA512 b019361c558ae6574bdd072b25e38004d5a9a1e99d8f16b7571de7bb50d7feb8fbdfecba626580e423762918588abb6a9dde3c3e554ca1ec0dd6a5f0b8cc1b8c

C:\Users\Admin\AppData\Local\Temp\Tar3EE9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab3ED6.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar40A8.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Config.Msi\f763e3c.rbs

MD5 1e16b12d84628ac66355bd00100cb26d
SHA1 06443950863c65b0f5d4ec2e94621e8c17f139e9
SHA256 cd973e1bcd82bc9ec1ed3cd2b4fe506120e19722db9284c3a1ad0ab28c90cf68
SHA512 4201914b57b785d1f87b4cace4fad8bb681937571206c657dfc7e5b4c31f2f8194a8e377ef078c925ed00c1a7c0665a842350b52392afc202fd45e1181a619ae

C:\Windows\Installer\MSI45DE.tmp

MD5 d711da8a6487aea301e05003f327879f
SHA1 548d3779ed3ab7309328f174bfb18d7768d27747
SHA256 3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512 c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.0_(x64)_20240406235819_001_dotnet_hostfxr_7.0.0_win_x64.msi.log

MD5 0c346d45ce0ca7da0dcb7296abebb9f8
SHA1 11f3520fa33627c1bec45dcac416676b068efa06
SHA256 2b2f978e292d6d31e9d62bd706863718de16e6f38563ff6c2a99234d7ab14e9d
SHA512 6a8b502021f27c232880d35ddc9b53498793b5ae25885be6973067f7efadb64adf7900c28ed11d39afb0746b54ed7e70d105efbafb117b241725e5436c220b21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa3a53e88b43d893cde9d0a782d94aa5
SHA1 d3b27692181bd06550351dcc3010709f6ad51c25
SHA256 baa11940104581dbf15645000645cd00ad431395a8fcaf4ca503edc2ca29a0e3
SHA512 11fbbd344834d12b08cbc7bd911d07aceea95e41963d9616a79999b4511270624a42ff888c8c4b9d8d3b4b4b955ca1c4e06a55c399cbaabb6fefb444f793d014

C:\Config.Msi\f763e42.rbs

MD5 8e4848943f63f46b200de882db6cdc47
SHA1 4b4190168fb67b7d71b810f651836d0d787d9c60
SHA256 aff0de141a406bfb5a26557d53b031e9fb18db23247a655b3cfd81a8e9cee3bc
SHA512 160d3654d6beaa2f4234fb52c87f046cc74170f9538d5b4ca90077f56be60415b85eb28faad38882ee2efae9c29d01b7701e2b819fa7895e579dd5237f2f3f3e

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.0_(x64)_20240406235819_002_dotnet_host_7.0.0_win_x64.msi.log

MD5 6759c4ddf45e5430ccfc0ce1e76739b1
SHA1 449cb7dc49b869d993455c4a5f728b319b727622
SHA256 d8cd5f98e1bd40b464c4999bf0c1efbef84f31312c8ca489873954997b227b3b
SHA512 09a8950b62c0df1759118c021a18e3a2d1fc41b501e2306562f9b03593cb23995f96c3508074a76d7c0cb9f36e9df34dd10af6850dc9aeacb322da1303d6c2ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b0d4af4442d9073869e7053f1106f09
SHA1 9f1faaef1b85e71dfd804f52b2c15a6c66a179f8
SHA256 dc7307ac76f770f5f76ea221bcc360ab2ea405b14c5c0189698cd0fb3c3dfa83
SHA512 c5f4cdf1d9a38c91fe7ce00b63c44ec61825d4267153d2625568cbe2a2de5e7856d2a487a37aad8792d66e4ccdedcb737edb9e26240587bdc941a4b3f4b0c9f3

\Program Files\dotnet\dotnet.exe

MD5 f9b1c36a62559891c4b11c5c1cc8442d
SHA1 6e4a9c2238962d5ce436a3eda959cb046ba60f57
SHA256 9cac930d5319c3844e7b0a171d9b215e00fb631492ca22b12fa202b95d8f1d1f
SHA512 35a69a6b4b5c790b8d281277fd7cdb7daa872ff9f85a784b68cb5b3c2d9d72f9c18ffcd56e8fca2004b5df2e19892a3825d5fb2956fb1410ea704e767d1e83ac

C:\Program Files\dotnet\ThirdPartyNotices.txt

MD5 481ad608d2c3b3a5a0a3a529f2b2569e
SHA1 e271613b837d2cda290808af2bbd104a8c104a10
SHA256 29aec309fa6f036be931222385612088a3d98aa07ac2356243028a3072d0ce86
SHA512 93dde6782e14ac259b8655a89b31f7efe6990f27bc560f90200f3c967645d20fc54510e8fb0346732ea54707728a7075c9b566a936e76586c50681de65c83afb

C:\Program Files\dotnet\LICENSE.txt

MD5 31c5a77b3c57c8c2e82b9541b00bcd5a
SHA1 153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA256 7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512 ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

C:\Config.Msi\f763e48.rbs

MD5 ef0ae87cac6ecdc9136edbfe8e38e784
SHA1 c84d9c38145c548b02b7b0a146235718c497f0db
SHA256 d3a7aef4265edd944048a7d32902a666383b5e0e24d544197576211df64311b4
SHA512 fe479169f120ce442f5896533a70dea27f82f75100e0ea9d3322cea629edd7e8af3f74e403ec4552e17f213fcd453e303b7757ebcdba15016f291b5a044f1224

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.0_(x64)_20240406235819_003_windowsdesktop_runtime_7.0.0_win_x64.msi.log

MD5 3c8659f19ae4aafd971fd6c7d3c14318
SHA1 b80184fa1b067b75cc3436e54d1ff2fa81f360e3
SHA256 46c2c349675db5e1cbf138402fe3d2d0efaefc6561a233aefda09edca5c6b8b6
SHA512 58dc4ab57dda16a669a798e83d6acbcf13ed900380060f651dd0f0a86c630571d47f3fbd46122988bfd6b1714d48b66143396305e4858cad1717041aa3ee0549

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adecc1083c79b39106e8f99c8aaf3cb3
SHA1 6e4acd104f3fb63253b8e0048cc2f50db2b1ef81
SHA256 0c404b2744ccd39a752f9925b19176135ebe8856352f936eefecf1817fd3a324
SHA512 0e920b7e18c2207ee2785ed869811787c43071e46bf67c1926e5226e8b5be263b0e9509928849b773cfc4f9451949ecff7b0b70aff82886a92bfcdc2c45f81f3

C:\Config.Msi\f763e4e.rbs

MD5 4409115fdf93d4fceecb4a43dd2c7277
SHA1 78b43512979aafb091be38fda9acc469bcfa28e6
SHA256 c354ed57196aefd60bd55a470eb3568bee01b7c7abd1b6d893a654f4edc2654a
SHA512 ca5647fff3eb1eb099fd2c0878866b49c5489a02d828244076254e663347810028db946adbfb6d75b62dbef3cfeb4333abe67ee3fd66a4ea75a8ac610c763784

memory/1740-1034-0x000000013F990000-0x000000013FA88000-memory.dmp

memory/1740-1035-0x000007FEF8640000-0x000007FEF8674000-memory.dmp

memory/1740-1036-0x000007FEF6590000-0x000007FEF6844000-memory.dmp

memory/1740-1037-0x000007FEF52E0000-0x000007FEF638B000-memory.dmp

memory/1740-1069-0x000007FEF4710000-0x000007FEF4822000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:57

Reported

2024-04-07 00:00

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe

"C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe"

C:\Windows\Temp\{CDBA06F8-AA8B-43CE-973F-8764A4EF16F5}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe

"C:\Windows\Temp\{CDBA06F8-AA8B-43CE-973F-8764A4EF16F5}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-7.0.0-win-x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\{CDBA06F8-AA8B-43CE-973F-8764A4EF16F5}\.cr\windowsdesktop-runtime-7.0.0-win-x64.exe

MD5 2f3c0c475e5482f29856b4581cc0aec0
SHA1 0993859b58412d869d3698fe5d71efb401466901
SHA256 21629bb67fc580f38b2a139489e347ba53674b08cf6d16052a832396ed1a1ca4
SHA512 2d6bbbbf7322a04f729edcfc2831e5b78a5f3b89590476f4a439ee5f4e47ff0efeaaaf02a678b0c78824c218d12ed4f83c5f7ba43b61bb6a5395dbba8b31aee9

C:\Windows\Temp\{1D5B8C3E-F32F-49A7-B430-3506A64145AE}\.ba\wixstdba.dll

MD5 4356ee50f0b1a878e270614780ddf095
SHA1 b5c0915f023b2e4ed3e122322abc40c4437909af
SHA256 41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512 b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

C:\Windows\Temp\{1D5B8C3E-F32F-49A7-B430-3506A64145AE}\.ba\bg.png

MD5 9eb0320dfbf2bd541e6a55c01ddc9f20
SHA1 eb282a66d29594346531b1ff886d455e1dcd6d99
SHA256 9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA512 9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d