7f6e8ac3c2747443f91c0c2c7c7e3ca7335ba9090275b70619b5903316d537e0

Analysis

max time kernel
85s
max time network
99s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/08/2024, 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auto-creamapi.exe
Size

4.9MB
MD5

2b4c2827a5e0afa08d55014d5d9f3976
SHA1

6b182cda0dcb1511d0cf426eaa0126de2066af92
SHA256

7f6e8ac3c2747443f91c0c2c7c7e3ca7335ba9090275b70619b5903316d537e0
SHA512

f168c3123f1bc7a5d11b09332be13c8371ad2ad3fa9a8811727505212123d73d0d150924a7aa1386475048e69516b1b266633760c5403417d572858bb09a87f7
SSDEEP

98304:siR6LPHMssoiHhKbWiVbMqhVvu8o9pcLFwiS:siUzM0iHhWWiVbMOVvu8ovcLFwiS

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\International\Geo\Nation	auto-creamapi.exe

Executes dropped EXE 3 IoCs

pid	Process
4864	windowsdesktop-runtime-8.0.7-win-x64.exe
592	windowsdesktop-runtime-8.0.7-win-x64.exe
4376	windowsdesktop-runtime-8.0.7-win-x64.exe

Loads dropped DLL 9 IoCs

pid	Process
592	windowsdesktop-runtime-8.0.7-win-x64.exe
4208	MsiExec.exe
4208	MsiExec.exe
1556	MsiExec.exe
1556	MsiExec.exe
2536	MsiExec.exe
2536	MsiExec.exe
200	MsiExec.exe
200	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{754bcfb5-42ac-4c12-8f12-b818943a1365} = "\"C:\\ProgramData\\Package Cache\\{754bcfb5-42ac-4c12-8f12-b818943a1365}\\windowsdesktop-runtime-8.0.7-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-8.0.7-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ko\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\es\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Numerics.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PenImc_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationNative_cor3.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\zh-Hans\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Data.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\cs\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\es\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ko\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\de\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\fr\UIAutomationProvider.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ja\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.IO.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\es\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\pl\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\de\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationFramework-SystemXmlLinq.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\zh-Hant\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Reflection.Extensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Runtime.Serialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\zh-Hant\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\pt-BR\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Diagnostics.FileVersionInfo.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Reflection.TypeExtensions.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Diagnostics.Process.dll	msiexec.exe
File created	C:\Program Files\dotnet\ThirdPartyNotices.txt	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\it\WindowsBase.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationFramework.Royale.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\it\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Reflection.Emit.ILGeneration.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\tr\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationFramework.Aero2.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Threading.Tasks.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Diagnostics.Debug.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Security.SecureString.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Globalization.Calendars.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.ComponentModel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ja\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\it\UIAutomationTypes.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Threading.Timer.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Memory.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\it\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\cs\System.Windows.Controls.Ribbon.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationFramework.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\cs\System.Windows.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\de\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\cs\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ja\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\pl\WindowsFormsIntegration.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Reflection.Metadata.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\tr\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\tr\System.Xaml.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.IO.MemoryMappedFiles.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\PresentationFramework-SystemXml.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\ja\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\it\System.Windows.Forms.Primitives.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.7\Microsoft.VisualBasic.Forms.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Configuration.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Web.HttpUtility.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.ServiceProcess.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Xml.Serialization.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.7\System.Net.Security.dll	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI430F.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\e582b22.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582b27.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E424D6A6-FA28-41E2-8356-B59519A84BB0}	msiexec.exe
File created	C:\Windows\Installer\e582b30.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e582b31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582b31.msi	msiexec.exe
File created	C:\Windows\Installer\e582b22.msi	msiexec.exe
File created	C:\Windows\Installer\e582b26.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3AE7.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI39FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B67.tmp	msiexec.exe
File created	C:\Windows\Installer\e582b2b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI40CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI2FB6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CA4FE2DB-2E1C-453B-B8C9-960AB929E5B4}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI315D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI377A.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3E3E3302-0CAD-4D0D-B6C0-206B30773468}	msiexec.exe
File opened for modification	C:\Windows\Installer\e582b2c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI499A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CD0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EB8.tmp	msiexec.exe
File created	C:\Windows\Installer\e582b27.msi	msiexec.exe
File created	C:\Windows\Installer\e582b2c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F6FBF64F-D459-4F03-BF3B-C0A36A0596A2}	msiexec.exe
File created	C:\Windows\Installer\e582b35.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.7-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.7-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.7-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2726AC6DF815FEC79DDE68DBD2C0BCC8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6A6D424E82AF2E1438655B59918AB40B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Dependents\{754bcfb5-42ac-4c12-8f12-b818943a1365}	windowsdesktop-runtime-8.0.7-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F46FBF6F954D30F4FBB30C3AA650692A\PackageCode = "238ECF52223FAEC4BB89CDCABBBA8613"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.28.16731_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2033E3E3DAC0D0D46B0C02B603774386\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_64.28.16739_x64	windowsdesktop-runtime-8.0.7-win-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotnet.microsoft.com\ = "134"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2033E3E3DAC0D0D46B0C02B603774386\SourceList\PackageName = "dotnet-hostfxr-8.0.7-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6A6D424E82AF2E1438655B59918AB40B\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{6EA9E9A7-8FEA-455A-80E1-97DE179345AD} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{754bcfb5-42ac-4c12-8f12-b818943a1365}	windowsdesktop-runtime-8.0.7-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.28.16731_x64\Version = "64.28.16731"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7659FB65568578265274E2D25E25C2DE	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2033E3E3DAC0D0D46B0C02B603774386\ProductName = "Microsoft .NET Host FX Resolver - 8.0.7 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2033E3E3DAC0D0D46B0C02B603774386\PackageCode = "1F5619604FA27794DB6B2D219DBB620B"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BD2EF4ACC1E2B3548B9C69A09B925E4B\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B\SourceList	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2033E3E3DAC0D0D46B0C02B603774386	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F46FBF6F954D30F4FBB30C3AA650692A\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A6D424E82AF2E1438655B59918AB40B\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{E424D6A6-FA28-41E2-8356-B59519A84BB0}v64.28.16731\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\NumberOfSub = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\Total = "124"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{CEE2E40E-823C-49B9-8686-5C0DBF43F6 = 2c36426fabecda01	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_64.28.16739_x64\Dependents	windowsdesktop-runtime-8.0.7-win-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-8.0.7-win-x64.exe.byjcwwm.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
868	WINWORD.EXE
868	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe
2876	msiexec.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4592	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4116	MicrosoftEdge.exe
Token: SeDebugPrivilege	4116	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSecurityPrivilege	2876	msiexec.exe
Token: SeCreateTokenPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeLockMemoryPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeIncreaseQuotaPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeMachineAccountPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeTcbPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSecurityPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeTakeOwnershipPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeLoadDriverPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSystemProfilePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSystemtimePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeProfSingleProcessPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeIncBasePriorityPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeCreatePagefilePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeCreatePermanentPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeBackupPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeRestorePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeShutdownPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeDebugPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeAuditPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSystemEnvironmentPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeChangeNotifyPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeRemoteShutdownPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeUndockPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeSyncAgentPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeEnableDelegationPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeManageVolumePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeImpersonatePrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeCreateGlobalPrivilege	4376	windowsdesktop-runtime-8.0.7-win-x64.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe
Token: SeRestorePrivilege	2876	msiexec.exe
Token: SeTakeOwnershipPrivilege	2876	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
592	windowsdesktop-runtime-8.0.7-win-x64.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4116	MicrosoftEdge.exe
4952	MicrosoftEdgeCP.exe
4592	MicrosoftEdgeCP.exe
4952	MicrosoftEdgeCP.exe
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE
868	WINWORD.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 4952 wrote to memory of 4604	4952	MicrosoftEdgeCP.exe	77
PID 2908 wrote to memory of 4864	2908	browser_broker.exe	78
PID 2908 wrote to memory of 4864	2908	browser_broker.exe	78
PID 2908 wrote to memory of 4864	2908	browser_broker.exe	78
PID 4864 wrote to memory of 592	4864	windowsdesktop-runtime-8.0.7-win-x64.exe	80
PID 4864 wrote to memory of 592	4864	windowsdesktop-runtime-8.0.7-win-x64.exe	80
PID 4864 wrote to memory of 592	4864	windowsdesktop-runtime-8.0.7-win-x64.exe	80
PID 592 wrote to memory of 4376	592	windowsdesktop-runtime-8.0.7-win-x64.exe	81
PID 592 wrote to memory of 4376	592	windowsdesktop-runtime-8.0.7-win-x64.exe	81
PID 592 wrote to memory of 4376	592	windowsdesktop-runtime-8.0.7-win-x64.exe	81
PID 2876 wrote to memory of 4208	2876	msiexec.exe	83
PID 2876 wrote to memory of 4208	2876	msiexec.exe	83
PID 2876 wrote to memory of 4208	2876	msiexec.exe	83
PID 2876 wrote to memory of 1556	2876	msiexec.exe	84
PID 2876 wrote to memory of 1556	2876	msiexec.exe	84
PID 2876 wrote to memory of 1556	2876	msiexec.exe	84
PID 2876 wrote to memory of 2536	2876	msiexec.exe	85
PID 2876 wrote to memory of 2536	2876	msiexec.exe	85
PID 2876 wrote to memory of 2536	2876	msiexec.exe	85
PID 2876 wrote to memory of 200	2876	msiexec.exe	86
PID 2876 wrote to memory of 200	2876	msiexec.exe	86
PID 2876 wrote to memory of 200	2876	msiexec.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\auto-creamapi.exe
"C:\Users\Admin\AppData\Local\Temp\auto-creamapi.exe"
1⤵
- Checks computer location settings
PID:3328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-8.0.7-win-x64.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-8.0.7-win-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\Temp\{5226A8EE-FBCF-4FE1-A998-11251416D077}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe
    "C:\Windows\Temp\{5226A8EE-FBCF-4FE1-A998-11251416D077}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\windowsdesktop-runtime-8.0.7-win-x64.exe" -burn.filehandle.attached=552 -burn.filehandle.self=584
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\.be\windowsdesktop-runtime-8.0.7-win-x64.exe
      "C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\.be\windowsdesktop-runtime-8.0.7-win-x64.exe" -q -burn.elevated BurnPipe.{17F7DFFB-0E78-4A82-9827-BB25E57972E1} {2365379A-AA5B-4876-8CD4-4995CF0CC21B} 592
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4604

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB8C0AD20D1778525075D942931A13A5
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FB13EC6493C497588DDB6C98A17D94AB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 937193C7F81CD1A451A6829D34FC748F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 771CB200064B1F71A59406EC36D64872
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5072

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582b25.rbs

Filesize
47KB

MD5
99a8a783c767455295f4150b23e60a05

SHA1
af13fd089b2d16926b44262ef6e44024606fefa0

SHA256
8fe71f8f3ec1c75416faafd37c7b61ec20a6ad9286eba008c8f88cd1a2c2307a

SHA512
a1ba12dbc3360da31ef92f706d2ab2584805f1bf93b653c3a895a2dad76a9289ebe87c38a7385c0cc232b3036d888435c61311c7a122128bc2906ffabcfc970a

Download Submit
C:\Config.Msi\e582b2a.rbs

Filesize
8KB

MD5
2079f7927043c92ca2aaecb19e7135a7

SHA1
9f2b6228f7834a6f3368cde49cdf0e9fd43a60b1

SHA256
0988ad35bf8bf1d2fc886464ebeb20a415be124b0bfccb5fc5c18f2b9967acda

SHA512
6de9a3eaf3e633f409c831ba88ea1071c5fbc71132426df673823b0ada1cf2b82843eb590b16e1967bb89150fc3f3819724469002914564452b0929c995debbc

Download Submit
C:\Config.Msi\e582b2f.rbs

Filesize
9KB

MD5
eed5c710419d18146e2e8a249002609b

SHA1
4756c91d25d4807ab401759e8b7c0248d6820374

SHA256
cbd2d8f5303730c4c77806ca66bb134b02ebbcdd63eda288b222ccb51d754cc5

SHA512
05b0735db46929f402be843590a63346168ece37333ed2a3dee4618ade9082a8ec8a29e185825c0a9da1be9cf424520203b8a76ce45426519a2c1950bbf0c60a

Download Submit
C:\Config.Msi\e582b34.rbs

Filesize
85KB

MD5
06339f82ef991d107a8174cff850baa5

SHA1
a8c23a8c806b3076022d1274f9a633d3516f2274

SHA256
194740b6745699c1448eaa8a0ff148bc84d4aaa9d4ad5422a703155806b06674

SHA512
d90398f68f954dbeb31375dba1c69af2bdb370af3a565273566cb3ed0b0c99b0ba1d88a876cf155d45e0e7c8db63815d370c042c7ceafeb2e3ae967f361aba8d

Download Submit
C:\Program Files\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
93KB

MD5
90630d9ee3e0a5672166a45e00f79a5f

SHA1
d1148f8c7558e9b8a81bf1f50f9e3bed89d9928c

SHA256
1271701f435f7fe4aa81dc7e273ca80b6391b73580ee20b35a956052c95de4cf

SHA512
29e10bd57d1c580ece70b9b7c4a69dc036a5a64012eb89ba360a71be6b808150610ea0737351277a3d4235c02323fabef29f092fa6b2a40f0289f55a7973e93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E49JWOHD\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WUMFPYR3\dotnet.microsoft[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\WUMFPYR3\dotnet.microsoft[1].xml

Filesize
84B

MD5
57324eb135e493da5986107f3f4e36f2

SHA1
f3a948e0de74c6c20b6f9aa343e1e9b97fb7d697

SHA256
60c73b1d684f6c9cb2fd3ee36c2c67a346b26e81ae4676f8a1f19415775e5d7e

SHA512
5700426ca3a45f9484b55b52f178604802b4da3f1005438500fbd3f9bee9c131e3d6ead5ae2bcc58adb23df41168b189db67001dfb6b3745270f07ada4c3f823

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YWCI917P\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DAT0HHQ0\windowsdesktop-runtime-8.0.7-win-x64[1].exe

Filesize
112KB

MD5
39f57231d00be49ce10ca00bfba87938

SHA1
002005b37a4b3c15d105936d7c6f552d50d4100e

SHA256
40518396f71c06ff06dc0c0ab53720447f41638e64acdddf83d25421ae1992c5

SHA512
c1503e1d1e64fcc0d558893d6f370ed198ca54e49a46a79b6402f10d9492f29cd7d6d7b414d0d4f38735942a320eeae71b221c1c6d5443c0013f92c936d76fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.7_(x64)_20240812113321_000_dotnet_runtime_8.0.7_win_x64.msi.log

Filesize
2KB

MD5
5292e037453722729920dff335bcc6c0

SHA1
172c3167ab3f583bb6c6935a8c1375e6026d9612

SHA256
f14e9f3765f49df494766fe6e407f355f71ec179b84cd1c066276c953ddbaee1

SHA512
e5e46d91832348bc0f4f7ceb26a6b24ad963cad317f123312ba94f570aab6a26fc95979376535ea7a214f1f2510b322066aace66fb35e1eddeab923ae685bd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.7_(x64)_20240812113321_001_dotnet_hostfxr_8.0.7_win_x64.msi.log

Filesize
2KB

MD5
ab223d2aa085597ed69b1c94aca5ba9b

SHA1
139923fc249a3ddb3366b1bf9601dbea2689d533

SHA256
85c89a419b33f9534536be680cc11b237c41c2908f2e0d6f540a8448ea104e90

SHA512
ac7ffb6fd94e8c739e4359c630dde447d6c6a7cbba06ff401fbbcd1f619b47859b714810a8a6132b0fa952d9c70a78a27838f31738cbc9ea763157f62c75aa0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.7_(x64)_20240812113321_002_dotnet_host_8.0.7_win_x64.msi.log

Filesize
2KB

MD5
5ec7d18eb9cefd1a3fc505f80317f5fa

SHA1
a6efa52ea55854b6fbf9e1140c48a1a3269e3753

SHA256
c9cef5d14718069321c8328f60359185228ae88588ee83f3b1eb47e65ac10fcc

SHA512
cf9b69e0e563a7f66d648032f26878219a7c6b0cd9d3639f1aeeb8a28932cd4247528b988d5ffa6cb0b54f3fe4b53faa28a367183355680c759564c528955c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.7_(x64)_20240812113321_003_windowsdesktop_runtime_8.0.7_win_x64.msi.log

Filesize
2KB

MD5
ed99c30ad5566ef1c848373921824da8

SHA1
f06cb03c58e6f9feadda6572ac26d991a342c44c

SHA256
f5a4b9b80ae7a987dad18559fc241534f941a420a84b60973ce19d0f788bbfc9

SHA512
691808f55e9959d3977b8da17408c8cb9c9468a2e5c9137b755fe24d7faa1ac417f0ebd3db81d03eda8ccba3890bd3552e8869485506f1c43c6bc054819597f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
224B

MD5
e66d36cbcfd69fdf8db6e5c649137ef1

SHA1
c1ce08cca33347fe58f95f78f61c31ac6501f511

SHA256
15376656ff62df570727bcac73caf451fbe0599729bb4bf648b5e65b3e97f5f4

SHA512
78a8c44885ce2f1a035a3075a50027d6eff5c1adbc4d4d134880b1aced5e5d0f70fb6ca8cb037327ec4890a392b3be84eb85c72f38d4cfac985afab64b7c81bc

Download Submit
C:\Windows\Installer\MSI2FB6.tmp

Filesize
244KB

MD5
60e8c139e673b9eb49dc83718278bc88

SHA1
00a3a9cd6d3a9f52628ea09c2e645fe56ee7cd56

SHA256
b181b6b4d69a53143a97a306919ba1adbc0b036a48b6d1d41ae7a01e8ef286cb

SHA512
ac7cb86dbf3b86f00da7b8a246a6c7ef65a6f1c8705ea07f9b90e494b6239fb9626b55ee872a9b7f16575a60c82e767af228b8f018d4d7b9f783efaccca2b103

Download Submit
C:\Windows\Temp\{5226A8EE-FBCF-4FE1-A998-11251416D077}\.cr\windowsdesktop-runtime-8.0.7-win-x64.exe

Filesize
635KB

MD5
1021bcdda151fb3bad0513d8311dff8c

SHA1
fc93405fc3d52f48f13375e2aa637fdc64afd5c9

SHA256
ab0d30eeaad5eb3d1c697097e6099fe81cd303c5ba26d7d88168201163b1fff4

SHA512
d4500e7a7ecfac6aa0e944de3b197f7336db3327b012b5ed48ba1dd9f3f892e243da7a1785f60dd29895c0853d6313bbe9a6f131b95f91a75b9f92fcee01e361

Download Submit
C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\dotnet_host_8.0.7_win_x64.msi

Filesize
780KB

MD5
52f0cb6ac56340fedbf77a9d1653d919

SHA1
268b00119515945b5750ec9ae4576fca24fa479f

SHA256
d2c403c8806e8ed4a079d7c67207583adaca5fc4ab6506c18fe2ab20e1b6a101

SHA512
03fcde710450ed9dd3cdf1d4ee053d53a8ae98f24cff9fcdf633dd655833a42c4dfeb025bc436a1a354b320ce794896d8b361bb37702f4a34c459b1a72b06c2f

Download Submit
C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\dotnet_hostfxr_8.0.7_win_x64.msi

Filesize
848KB

MD5
252e3786ee9fc41797fbcf5d3db65d74

SHA1
bca98a5e954f25c9d2e6a64c2b1a7c73607de9c6

SHA256
c4ba08d8e05f2edb85f92571d20dbaecac55ce90531539dd60e591c113e96ba5

SHA512
4dd35a7d601505ad029b4f1e116dab34be43fb725673d8a3de6e851e6fef1967a4f7e8fb1a06250f66d779ce0ec818fc42e809205741055eb9152bebca799f6b

Download Submit
C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\dotnet_runtime_8.0.7_win_x64.msi

Filesize
26.3MB

MD5
cedca35d058e4e4f50bf65e3c969f3bd

SHA1
605620ebf5e037811cca56516bb34fecefada830

SHA256
bed9f4dcf3e5f2631f0dc85ff02d6e4f94355b5eae06797d1c3b59efa3ffcccf

SHA512
82ed592a17c09c0552c7eed85c19989cc743cf43a7369297c73815d289d02b3c3e2255159a29e2dfe0358f302c39f136ae93a4c2f915f1186b1f4f647aaa1b63

Download Submit
C:\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\windowsdesktop_runtime_8.0.7_win_x64.msi

Filesize
29.1MB

MD5
ca48e6e1ad0edbb9100d0e6377fac11c

SHA1
d87f353747ee47721636ca6dc252b9c5c5db6fde

SHA256
0ed78af29c5e9c5fd79c1e68c3ab08996435312dae5ef3aeb079a5503e6d701e

SHA512
b2ed00f935654eaf8dabaa37a0499bf4253aa9d2f0236ff494910fa232c37437013ed87793b2e7e1481ab636bbed7735e9fb8cc014b1bd39a398550977920bf4

Download Submit
\Windows\Temp\{7835309A-160D-4F55-B793-271AD8AC70DC}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
memory/868-1152-0x00007FFC4EDD0000-0x00007FFC4EDE0000-memory.dmp

Filesize
64KB

Download
memory/868-1149-0x00007FFC4EDD0000-0x00007FFC4EDE0000-memory.dmp

Filesize
64KB

Download
memory/868-1150-0x00007FFC4EDD0000-0x00007FFC4EDE0000-memory.dmp

Filesize
64KB

Download
memory/868-1151-0x00007FFC4EDD0000-0x00007FFC4EDE0000-memory.dmp

Filesize
64KB

Download
memory/868-1155-0x00007FFC4BFF0000-0x00007FFC4C000000-memory.dmp

Filesize
64KB

Download
memory/868-1156-0x00007FFC4BFF0000-0x00007FFC4C000000-memory.dmp

Filesize
64KB

Download
memory/4116-35-0x0000019D19C90000-0x0000019D19C92000-memory.dmp

Filesize
8KB

Download
memory/4116-1127-0x0000019D236E0000-0x0000019D236E1000-memory.dmp

Filesize
4KB

Download
memory/4116-1128-0x0000019D236F0000-0x0000019D236F1000-memory.dmp

Filesize
4KB

Download
memory/4116-16-0x0000019D1C720000-0x0000019D1C730000-memory.dmp

Filesize
64KB

Download
memory/4116-0-0x0000019D1C620000-0x0000019D1C630000-memory.dmp

Filesize
64KB

Download
memory/4592-42-0x000001FAA71C0000-0x000001FAA72C0000-memory.dmp

Filesize
1024KB

Download
memory/4592-43-0x000001FAA71C0000-0x000001FAA72C0000-memory.dmp

Filesize
1024KB

Download
memory/4604-358-0x000001C13EE10000-0x000001C13EE12000-memory.dmp

Filesize
8KB

Download
memory/4604-168-0x000001C143EB0000-0x000001C143EB2000-memory.dmp

Filesize
8KB

Download
memory/4604-174-0x000001C1440A0000-0x000001C1440A2000-memory.dmp

Filesize
8KB

Download
memory/4604-176-0x000001C1440C0000-0x000001C1440C2000-memory.dmp

Filesize
8KB

Download
memory/4604-178-0x000001C1440E0000-0x000001C1440E2000-memory.dmp

Filesize
8KB

Download
memory/4604-164-0x000001C143E70000-0x000001C143E72000-memory.dmp

Filesize
8KB

Download
memory/4604-166-0x000001C143E90000-0x000001C143E92000-memory.dmp

Filesize
8KB

Download
memory/4604-162-0x000001C143E50000-0x000001C143E52000-memory.dmp

Filesize
8KB

Download
memory/4604-170-0x000001C143EC0000-0x000001C143EC2000-memory.dmp

Filesize
8KB

Download
memory/4604-172-0x000001C143EE0000-0x000001C143EE2000-memory.dmp

Filesize
8KB

Download
memory/4604-184-0x000001C13F780000-0x000001C13F880000-memory.dmp

Filesize
1024KB

Download
memory/4604-271-0x000001C144C00000-0x000001C144C20000-memory.dmp

Filesize
128KB

Download
memory/4604-356-0x000001C13EE00000-0x000001C13EE02000-memory.dmp

Filesize
8KB

Download
memory/4604-354-0x000001C143C90000-0x000001C143C92000-memory.dmp

Filesize
8KB

Download
memory/4604-352-0x000001C143C80000-0x000001C143C82000-memory.dmp

Filesize
8KB

Download
memory/4604-350-0x000001C143C70000-0x000001C143C72000-memory.dmp

Filesize
8KB

Download
memory/4604-347-0x000001C13EF10000-0x000001C13EF12000-memory.dmp

Filesize
8KB

Download
memory/4604-319-0x000001C144980000-0x000001C1449A0000-memory.dmp

Filesize
128KB

Download
memory/4604-234-0x000001C144370000-0x000001C144470000-memory.dmp

Filesize
1024KB

Download
memory/4604-272-0x000001C144C00000-0x000001C144C20000-memory.dmp

Filesize
128KB

Download