9f8b24e8aac298f23a8107de9accf0b93ce40f6693db9c04c5150cc0d0d9e9a6

Analysis

max time kernel
36s
max time network
38s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
19/06/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaLauncher.Setup.msi
Size

1.1MB
MD5

d8a40f33ef51db60bb05e949699f7cb8
SHA1

b0aa5ba523ecd9f9068f2a06e5e915bca5876d1c
SHA256

9f8b24e8aac298f23a8107de9accf0b93ce40f6693db9c04c5150cc0d0d9e9a6
SHA512

3a84bf26b650c82185a43f9d3188639aae502cfb774bf2e98eefdc2dd0ab6fa3dac037476c86981b16adfbd5a27787a0873c408bde9d255eea01686d01bf2f4a
SSDEEP

24576:BUsBz3qR6icXzWWeapbdefCrp4jQ3za3i1Ape6W:BUsBzdbjprVdefCr9DaIAY7

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3476	msiexec.exe
3	3476	msiexec.exe
4	3476	msiexec.exe
5	3476	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Project Nova\Nova Launcher\Nova.ico	msiexec.exe
File created	C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1633CF1CA4085745.TMP	msiexec.exe
File created	C:\Windows\Installer\e578985.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A4E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC2ECF76B1A8B1155.TMP	msiexec.exe
File created	C:\Windows\Installer\e578983.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578983.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5D3CBA0CA5C0AD35.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{16B1F98E-DE67-4CB1-B652-D088A591ACAB}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF82697252339B7D51.TMP	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3916	NovaLauncher.Web.exe

Loads dropped DLL 1 IoCs

pid	Process
3916	NovaLauncher.Web.exe

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
3476	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cb92cce0afe2208d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cb92cce00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cb92cce0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcb92cce0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cb92cce000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633132659082262"	chrome.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1772	msiexec.exe
1772	msiexec.exe
3916	NovaLauncher.Web.exe
1236	msedgewebview2.exe
1236	msedgewebview2.exe
2520	chrome.exe
2520	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2416	msedgewebview2.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3476	msiexec.exe
Token: SeSecurityPrivilege	1772	msiexec.exe
Token: SeCreateTokenPrivilege	3476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3476	msiexec.exe
Token: SeLockMemoryPrivilege	3476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3476	msiexec.exe
Token: SeMachineAccountPrivilege	3476	msiexec.exe
Token: SeTcbPrivilege	3476	msiexec.exe
Token: SeSecurityPrivilege	3476	msiexec.exe
Token: SeTakeOwnershipPrivilege	3476	msiexec.exe
Token: SeLoadDriverPrivilege	3476	msiexec.exe
Token: SeSystemProfilePrivilege	3476	msiexec.exe
Token: SeSystemtimePrivilege	3476	msiexec.exe
Token: SeProfSingleProcessPrivilege	3476	msiexec.exe
Token: SeIncBasePriorityPrivilege	3476	msiexec.exe
Token: SeCreatePagefilePrivilege	3476	msiexec.exe
Token: SeCreatePermanentPrivilege	3476	msiexec.exe
Token: SeBackupPrivilege	3476	msiexec.exe
Token: SeRestorePrivilege	3476	msiexec.exe
Token: SeShutdownPrivilege	3476	msiexec.exe
Token: SeDebugPrivilege	3476	msiexec.exe
Token: SeAuditPrivilege	3476	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3476	msiexec.exe
Token: SeChangeNotifyPrivilege	3476	msiexec.exe
Token: SeRemoteShutdownPrivilege	3476	msiexec.exe
Token: SeUndockPrivilege	3476	msiexec.exe
Token: SeSyncAgentPrivilege	3476	msiexec.exe
Token: SeEnableDelegationPrivilege	3476	msiexec.exe
Token: SeManageVolumePrivilege	3476	msiexec.exe
Token: SeImpersonatePrivilege	3476	msiexec.exe
Token: SeCreateGlobalPrivilege	3476	msiexec.exe
Token: SeBackupPrivilege	2824	vssvc.exe
Token: SeRestorePrivilege	2824	vssvc.exe
Token: SeAuditPrivilege	2824	vssvc.exe
Token: SeBackupPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe
Token: SeTakeOwnershipPrivilege	1772	msiexec.exe
Token: SeRestorePrivilege	1772	msiexec.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3476	msiexec.exe
3476	msiexec.exe
2416	msedgewebview2.exe
2416	msedgewebview2.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe
2520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2844	1772	msiexec.exe	87
PID 1772 wrote to memory of 2844	1772	msiexec.exe	87
PID 3916 wrote to memory of 2416	3916	NovaLauncher.Web.exe	91
PID 3916 wrote to memory of 2416	3916	NovaLauncher.Web.exe	91
PID 2416 wrote to memory of 4644	2416	msedgewebview2.exe	92
PID 2416 wrote to memory of 4644	2416	msedgewebview2.exe	92
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1828	2416	msedgewebview2.exe	93
PID 2416 wrote to memory of 1236	2416	msedgewebview2.exe	94
PID 2416 wrote to memory of 1236	2416	msedgewebview2.exe	94
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96
PID 2416 wrote to memory of 4704	2416	msedgewebview2.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NovaLauncher.Setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3476

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
"C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=NovaLauncher.Web.exe --webview-exe-version=1.0.0+6e86c826bbb6642fc5d13a1cff424b521bb68036 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --disable-popup-blocking --enable-features=msWebView2EnableDraggableRegions --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=3916.3692.9131234339663685048
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0xbc,0x7ffd58053cb8,0x7ffd58053cc8,0x7ffd58053cd8
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1868,838548250520787467,2484092256843166738,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware,msWebView2EnableDraggableRegions --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView" --webview-exe-name=NovaLauncher.Web.exe --webview-exe-version=1.0.0+6e86c826bbb6642fc5d13a1cff424b521bb68036 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
    3⤵
    PID:1828
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,838548250520787467,2484092256843166738,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware,msWebView2EnableDraggableRegions --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView" --webview-exe-name=NovaLauncher.Web.exe --webview-exe-version=1.0.0+6e86c826bbb6642fc5d13a1cff424b521bb68036 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1236
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,838548250520787467,2484092256843166738,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware,msWebView2EnableDraggableRegions --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView" --webview-exe-name=NovaLauncher.Web.exe --webview-exe-version=1.0.0+6e86c826bbb6642fc5d13a1cff424b521bb68036 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --mojo-platform-channel-handle=2476 /prefetch:8
    3⤵
    PID:4704
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1868,838548250520787467,2484092256843166738,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware,msWebView2EnableDraggableRegions --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView" --webview-exe-name=NovaLauncher.Web.exe --webview-exe-version=1.0.0+6e86c826bbb6642fc5d13a1cff424b521bb68036 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
    3⤵
    PID:4848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5cf2ab58,0x7ffd5cf2ab68,0x7ffd5cf2ab78
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1552 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:2
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:1
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3228 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4208 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4404 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1936,i,5875690346947806968,18044683556250783535,131072 /prefetch:8
  2⤵
  PID:4568

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578984.rbs

Filesize
9KB

MD5
0df7f0098456dcd3eec3837dfc3781b6

SHA1
b763b63b539444de3bb232550321684ea4e0b340

SHA256
03302667fa79b1c3a0e4c23e3d891b8f9c7d27712b0f98a2e2bcb6ee2299ab40

SHA512
8d33c4ebbaf61e6b80164053f639283e71402d5a73d396c598f5f8331a96bfe11c9e4b7733f59022369f0659df0b00cb0f5bb0d284e9e3ca5281339ec1501d6a

Download Submit
C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe

Filesize
2.3MB

MD5
6d2aa1f9688c40b71f28933584314416

SHA1
da2aba1dd556ef9dad14d60a9563d08b188e8c2c

SHA256
8b93641b24de65fa855f619cb1302a960aef917dedbccefafc49c59e8988b57e

SHA512
86a19de023816180785b9cacb1a86f5ed28e4b172a6de9580064a8185730cd5b0a803f34127ced58e75ffb338b4bc29a21604b11cd313ad9aae58fabf506d50e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B

Filesize
727B

MD5
025d1fe7479fe577572a5965714fbbdf

SHA1
40627c0570c65687307e248e7838300ff18b63e7

SHA256
425150b001e65faf94761e1d3f0846794cdfb0b91939dc791291a320c1860854

SHA512
f647115ff60204977d6c72ea1697470041df3231b10305f16d0f944b5336f03dcad089325ed826624601f15f75c75eafe3d06df2df9546a220767229c38c454d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B

Filesize
478B

MD5
24db2e14d1f62b28589e5c9655a43bbd

SHA1
73d8ed8895b45f20d93eed0e568168ec59f15260

SHA256
c6b8fbd155f068e68bc5a9b3f832e5b7d9fe0ed36f7de01e47ac82e6bcf3942d

SHA512
69291624c1b4cb74865f0aad68200fa5a5a30d718d8e979c8a0d1858149db16b44252e811d6d6268408d5628c02c83ff18fa570aeb0b534482799eddf33ddc95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
fd6a3d51afabe831525f759d15beb809

SHA1
0fa076265b2e2b8f17cad7903da9a1c74f4498e0

SHA256
1f8590268caeb8dfa3a968cd5f99798ebe6d09f72d209f56bb508e5597b21abd

SHA512
8e14ef919e30b8c353167ff86bc5d72a5608d05f06d33c4979f3c188bf7ac775c35f657f012afe4afc4fcb53a07a38b89e3acdc6ed31b3083419393970546e5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8d1dc905a80221152eedbf862afc167f

SHA1
3c1c38ae14aae5a5c8cb49be0f34f1326695898e

SHA256
b30fb43b6c0ad41d4416656d206296ff94c9bf306f538fc3024d2847e9b464d9

SHA512
f57be9f9d3d18cf73a17d4c8dc8a75b0d55426c2a1227df047c5e7898c24568c113e6cbf0d09e2a0d1da03e76aa0141b61709999e8145d8a827c64b61f48d7c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b2e2505781a9f70a66a29848094b4e69

SHA1
61aebe1fd9567f3d51a6ae2b6e5040bc174c650d

SHA256
a08b8df1e3e533348865557bb33cb2ec9e3d396cc8164139a16bf9e301453b3c

SHA512
b510beb0100b08fca75194435e0f9971b4ae932b176161f18003dededec740ea9bb2428df75cd50f1fffe7d0c3e96748fb126979cd290d26c22cdbb03537381b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
67b6c168b280713b2ee3944632632497

SHA1
e411c35c29c9d87547613b919445f24ed2ea687a

SHA256
4d624683563ee2e02ab2de6455b496e9b37c6ac5080b6f465ebe68459590d48b

SHA512
2b9737f450ae85fe8c54da987fbaf157fb63d0659d9456988e808bd2fe03c0d601f2d4497dfaa73af4aa7d07ee448c22774aa8bc78814acb3a5642b4f0d5a36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
94e10561ae4f66518c0f98b54f60982d

SHA1
7d201f8ee96945319a711e1a61296f031cbddd2e

SHA256
374d550b14e82b4b1b136abcecc4d908852b507140e48c77af5c7401ab0e57e0

SHA512
a8b482042388848e24bcbdb775b5e020ff2fd42a246776d46c100fbc5a9031bcede08fa6df63f955aebacf63cc70e1c54369abc033c04a444741ad9c20765185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
ff648fbea67a01c85d41ad143537d475

SHA1
0e7697c8d06dc60baa1808fa48c52a8ee91a6184

SHA256
4c5e8359c99d8f8f270b60493be3ac4c916c4aac6119e8b6c722866ec840f367

SHA512
68f89eb9e23eb64c8baea25fb476d05ce890c96671cb0553230ffa78095b55ebb3e564b4a99840574044d340348a5efaffe13f5b5b29b94073c9a705c8720bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\NovaLauncher.Web\KJuV0o1i1QitGYwpsUJnSf0ozoxPP9c=\WebView2Loader.dll

Filesize
161KB

MD5
07579378c574edba2e841aaf1f794c58

SHA1
d5009a0628dc0db94a3ca36ea5610fd13cdca386

SHA256
9c4c7d07b221496bd728e192aef30b0eb0005eee54fa10842a5b6e53c2af973f

SHA512
5552a12797e82978bc01e55d25f5be7d74e1151c8f57b6ac437b9587beaefa5ed3d7496b30d1fd714e0549d1accf5bde43208a353dbcf859447ed4b5264bc3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\2a3896b2-8610-4ed3-94b5-a083a261d5bd.tmp

Filesize
8KB

MD5
66b294efddf50c0689047cef6ca725b9

SHA1
cb36dc24151bc672d7d9c8da7942a95113585e2b

SHA256
a087a114bd043a6f852007a7c6d4d394060e9e60f0e11aaf32d8a1ec254f82e4

SHA512
fcd8c408c87ad299e37ccfe793f43d7a503fe248678ee1e44bf6ae69368a0cd6e97d6e8ebca1ba4cd9c616262b8354642890a1626214a53da6fda9c36d9d30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
ce07b36f068238ba8b1dfd039d9ef079

SHA1
e6c7d48a0f144401ea0970185966507c1ecb0726

SHA256
51ea445167576d71d8ec4f3d3d2203aa448a9ef83588c322bf44bf21a68f25d4

SHA512
520d1c7b3f24fb621a348f98864d7cdfe2d2b91cca67102dcf070ac1f5f38a4972ea4c2bf8381d8f74659611deff8f65a1ce7a735c8bf79b9457790a873af0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
0655859042e4af2740434e1a443088d9

SHA1
40ac6e4d71c919a0af741a91ba149f6f799dc23f

SHA256
03c4b2064fc66293eb7f69f1bb4c4f34da17bfb93911d5652ce42e49c6cc5f85

SHA512
2bd5b5327323972d02f991fbab970209b04d1d1d631a43e2fa7d1f5757e33cac0b3a41cfb191a81b85c33fe5ff1e0f8da87f2f5bd31a6c21d5d014f9cefb8e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
202a11ae299bc517074efe82bf6e056c

SHA1
902796966a53fd32de053c210648cc5396cae0c7

SHA256
bf73ab0dd9d0d17fe612c03d57abbaae78f1d3e5b9901c85a4eaca50fecff76b

SHA512
b57ce94ce958e7fc052a6ff511346678b6091648a579f63d9f49bfb67c464e7720a9ad4a5bf01f775fcc1d63506185decc43402fa942947b17c6969815aae5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpo1pnov.4x0\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{16B1F98E-DE67-4CB1-B652-D088A591ACAB}\_AAA580228CD97746965190.exe

Filesize
4KB

MD5
3772bc572222ee4b4536e308d41b00a0

SHA1
278ed102dc1ca22ab912f95a5be5c801ae475e10

SHA256
a93caaaab2d4d9560a8acf5c9622f55ae31500bd1c173c658bb8f88c52b56834

SHA512
f88b488a8312f2e2452ddacdbac8b0e509d182163506b282607c6869cd2545111c8d53b480443d1081e39dc742b38539fbb124a6e32cad15380f17f7b72fdca6

Download Submit
C:\Windows\Installer\e578983.msi

Filesize
1.1MB

MD5
d8a40f33ef51db60bb05e949699f7cb8

SHA1
b0aa5ba523ecd9f9068f2a06e5e915bca5876d1c

SHA256
9f8b24e8aac298f23a8107de9accf0b93ce40f6693db9c04c5150cc0d0d9e9a6

SHA512
3a84bf26b650c82185a43f9d3188639aae502cfb774bf2e98eefdc2dd0ab6fa3dac037476c86981b16adfbd5a27787a0873c408bde9d255eea01686d01bf2f4a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
5750134309b98f766ba23868590a7f35

SHA1
baf3e9f860f03d541576194f2f7913916b87c326

SHA256
3796c4d26888480c20f2d8a669902979e8925bceb2c74e35cea049a78cb278e3

SHA512
2030f29955924188b1c9de797f70746bd5bf48bec8e43ff77ddc582cf6abd54e5813970e261480adb9496b6a07aa061552c89ba6ce876be38b7ae3074c061545

Download Submit
\??\Volume{e0cc92cb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{64135805-b6f5-40ea-9bd5-dae52c9627e3}_OnDiskSnapshotProp

Filesize
6KB

MD5
2bbda54972d93f8d2ca872d9e0e348f4

SHA1
092a8f40ddc3b78370bbaeda48a670c4a6ed76e1

SHA256
241081bbffb1c9db7646269b22d390154a6130a5cf1f609efc9e3fd283e1621a

SHA512
8bae4bb4e9db7b6703dae64ab3aebe06f738497bcf2a0024fc18a158d6e84081ebb12479e8899fa6acf537b90152ff9bb6e338824bb9eeacd11576b69d74d92d

Download Submit
memory/1828-68-0x00007FFD7DC60000-0x00007FFD7DC61000-memory.dmp

Filesize
4KB

Download