5fcd948b8a4189a550598c8ebf67787036668b9a2751ebbd121f750e48967f94

Analysis

max time kernel
92s
max time network
97s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09/10/2024, 00:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Installer.exe
Size

39KB
MD5

5853c7757906df8f9628c05d95c79fc0
SHA1

e3170d65b9e8dac5297aa007283dfec5a1e69c35
SHA256

5fcd948b8a4189a550598c8ebf67787036668b9a2751ebbd121f750e48967f94
SHA512

f60b36f0bb1b7e0fab688e3fad9a8c1c4b9292b88fef56ecc0f9008db9840a1eb5dc28ceae950ab8898a49b65b48a4be7bb985934d5dd3999f19a06e35094670
SSDEEP

768:G2bkLvJXH4mtbFzRbhiBea3qhxqxjyPCLOtYcFwVc6K:G2bgRXHbtboqhnCLSwVcl

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2012	dotnet8.exe
1664	dotnet8.exe
1820	windowsdesktop-runtime-8.0.10-win-x64.exe
3016	Latite Injector.exe

Loads dropped DLL 64 IoCs

pid	Process
1664	dotnet8.exe
1864	MsiExec.exe
1864	MsiExec.exe
1744	MsiExec.exe
1744	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2068	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
3696	windowsdesktop-runtime-8.0.2-win-x64.exe
1228	MsiExec.exe
1228	MsiExec.exe
2160	MsiExec.exe
2160	MsiExec.exe
3092	MsiExec.exe
3092	MsiExec.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe
3016	Latite Injector.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d990096d-6282-42c5-8d16-71272c5be274} = "\"C:\\ProgramData\\Package Cache\\{d990096d-6282-42c5-8d16-71272c5be274}\\windowsdesktop-runtime-8.0.10-win-x64.exe\" /burn.runonce"	windowsdesktop-runtime-8.0.10-win-x64.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	5116	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationCore.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\UIAutomationClient.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.RuntimeInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\Microsoft.VisualBasic.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\es\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Security.Permissions.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.Compression.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebClient.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\fr\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\zh-Hant\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Cng.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Resources.Extensions.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\UIAutomationProvider.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\WindowsFormsIntegration.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\ReachFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\PresentationFramework.Luna.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Drawing.Design.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\System.Printing.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationCore.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\it\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\ko\PresentationFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.IO.Pipes.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\UIAutomationClientSideProviders.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\zh-Hant\PresentationCore.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\ru\System.Xaml.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.Primitives.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\mscordaccore.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Uri.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\de\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\de\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\ja\System.Xaml.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.FileVersionInfo.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.ThreadPool.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Resources.Reader.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.IO.Compression.ZipFile.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework.Aero.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationClient.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Input.Manipulations.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationTypes.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\ReachFramework.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\es\PresentationCore.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\System.Windows.Forms.Design.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\de\Microsoft.VisualBasic.Forms.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationProvider.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Http.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\cs\ReachFramework.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Resources.Writer.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.Parallel.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Net.NetworkInformation.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\System.Reflection.DispatchProxy.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\ko\System.Windows.Forms.Design.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\WindowsFormsIntegration.resources.dll	msiexec.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.resources.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI8FCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5A1.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF56B7F8733A6F0F9B.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB048FE2C686C3F5C.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{614C9740-3FD4-4788-A277-7C35CB4C323B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA300.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFB2A63A80DE52670.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90E9.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4D27A7BF8979A7FC.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6CD9C76FC4CE0575.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{15B7D0C2-F209-4C28-AF1C-FD8326F4D58A}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBD0002B56597C9C1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF798E9256F68A0BAF.TMP	msiexec.exe
File created	C:\Windows\Installer\e587bc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587bc8.msi	msiexec.exe
File created	C:\Windows\Installer\e587bcc.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2B507B7BDC389301.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1B225B65ECAF9137.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0B982C3849175DED.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA747.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB63F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF75C80D5A54E54DAD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E36.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEE80FDEE69C42BE2.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9128.tmp	msiexec.exe
File created	C:\Windows\Installer\e587bcd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e587bd8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC0C8C24EBE86A0DD.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF16E2D361397455CD.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e587bc3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI80F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B84.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{062CD1ED-0A3C-483C-A871-50173240C545}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA96A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB4E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB789.tmp	msiexec.exe
File created	C:\Windows\Installer\e587bc3.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF70EB79FA82F04B55.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI93BC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI960E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC21A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8CAE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5267C9DEF2684307.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe	msiexec.exe
File created	C:\Windows\Installer\e587bd2.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF85B34672D09483B6.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8D24CF36A8767803.TMP	msiexec.exe
File created	C:\Windows\Installer\e587bd8.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0C7EFA2A931DE89F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB930.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1B8811C71670208A.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F12.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3A80EBC5-6B68-49B9-BEBD-E1A6C966B416}	msiexec.exe
File created	C:\Windows\Installer\e587bdc.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF644F831DF754F1C5.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.10-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotnet8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windowsdesktop-runtime-8.0.2-win-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{614C9740-3FD4-4788-A277-7C35CB4C323B}v64.40.21605\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18237B7CA0BADAD40AF9C5034D6097CA\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d990096d-6282-42c5-8d16-71272c5be274}\Dependents\{d990096d-6282-42c5-8d16-71272c5be274}	windowsdesktop-runtime-8.0.10-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_64.40.21578_x64	windowsdesktop-runtime-8.0.10-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DE1DC260C3A0C3848A17057123045C54\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\DOTNET_RUNTIME_64.8.8795_X64\DEPENDENTS\{63880B41-04FC-4F9B-92C4-4455C255EB8C}	windowsdesktop-runtime-8.0.2-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{062CD1ED-0A3C-483C-A871-50173240C545}v64.40.21578\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d990096d-6282-42c5-8d16-71272c5be274}\Dependents	windowsdesktop-runtime-8.0.10-win-x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.40.21578_x64\DisplayName = "Microsoft .NET Host FX Resolver - 8.0.10 (x64)"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70BF2CCB0FC824541BC016CBFE40FA2F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\18055328865530E5138F870F1180C60C	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{062CD1ED-0A3C-483C-A871-50173240C545}v64.40.21578\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_64.40.21605_x64\DisplayName = "Microsoft Windows Desktop Runtime - 8.0.10 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DF1F64D8EF250D42BCA10C1326BB942	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.8.8795_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.40.21578_x64\Version = "64.40.21578"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{d990096d-6282-42c5-8d16-71272c5be274}\ = "{d990096d-6282-42c5-8d16-71272c5be274}"	windowsdesktop-runtime-8.0.10-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9DF1F64D8EF250D42BCA10C1326BB942\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18237B7CA0BADAD40AF9C5034D6097CA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8\PackageCode = "11EA93E22E7230247AAA75AF64ADEFEE"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2C0D7B51902F82C4FAC1DF38624F5DA8\SourceList\PackageName = "dotnet-runtime-8.0.10-win-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\ProductName = "Microsoft Windows Desktop Runtime - 8.0.10 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2065A51E6255789737EC10F6E24781AC\2C0D7B51902F82C4FAC1DF38624F5DA8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\ProductName = "Microsoft .NET Host FX Resolver - 8.0.10 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5CBE08A386B69B94EBDB1E6A9C664B61	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5CBE08A386B69B94EBDB1E6A9C664B61\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\SourceList\PackageName = "dotnet-host-8.0.10-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0479C4164DF388742A77C753BCC423B3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.40.21578_x64\DisplayName = "Microsoft .NET Runtime - 8.0.10 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DE1DC260C3A0C3848A17057123045C54\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\18237B7CA0BADAD40AF9C5034D6097CA	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_64.40.21605_x64	windowsdesktop-runtime-8.0.10-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.8.8795_x64\Dependents	windowsdesktop-runtime-8.0.2-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{3A80EBC5-6B68-49B9-BEBD-E1A6C966B416}v64.40.21578\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_runtime_64.40.21605_x64	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5CBE08A386B69B94EBDB1E6A9C664B61\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\{63880B41-04FC-4F9B-92C4-4455C255EB8C}\DEPENDENTS\{63880B41-04FC-4F9B-92C4-4455C255EB8C}	windowsdesktop-runtime-8.0.2-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.8.8795_x64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0479C4164DF388742A77C753BCC423B3\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_64.40.21605_x64\Dependents\{d990096d-6282-42c5-8d16-71272c5be274}	windowsdesktop-runtime-8.0.10-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\Dependents	windowsdesktop-runtime-8.0.2-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DE1DC260C3A0C3848A17057123045C54\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5CBE08A386B69B94EBDB1E6A9C664B61\PackageCode = "BB3C7C2D57FDE7E48A50E3073BBF635F"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70BF2CCB0FC824541BC016CBFE40FA2F\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
5116	msiexec.exe
3016	Latite Injector.exe
3016	Latite Injector.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4796	Installer.exe
Token: SeShutdownPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeIncreaseQuotaPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSecurityPrivilege	5116	msiexec.exe
Token: SeCreateTokenPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeAssignPrimaryTokenPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeLockMemoryPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeIncreaseQuotaPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeMachineAccountPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeTcbPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSecurityPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeTakeOwnershipPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeLoadDriverPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSystemProfilePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSystemtimePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeProfSingleProcessPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeIncBasePriorityPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeCreatePagefilePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeCreatePermanentPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeBackupPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeRestorePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeShutdownPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeDebugPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeAuditPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSystemEnvironmentPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeChangeNotifyPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeRemoteShutdownPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeUndockPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeSyncAgentPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeEnableDelegationPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeManageVolumePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeImpersonatePrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeCreateGlobalPrivilege	1820	windowsdesktop-runtime-8.0.10-win-x64.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe
Token: SeTakeOwnershipPrivilege	5116	msiexec.exe
Token: SeRestorePrivilege	5116	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1664	dotnet8.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 640	4796	Installer.exe	78
PID 4796 wrote to memory of 640	4796	Installer.exe	78
PID 4796 wrote to memory of 2012	4796	Installer.exe	79
PID 4796 wrote to memory of 2012	4796	Installer.exe	79
PID 4796 wrote to memory of 2012	4796	Installer.exe	79
PID 2012 wrote to memory of 1664	2012	dotnet8.exe	80
PID 2012 wrote to memory of 1664	2012	dotnet8.exe	80
PID 2012 wrote to memory of 1664	2012	dotnet8.exe	80
PID 1664 wrote to memory of 1820	1664	dotnet8.exe	81
PID 1664 wrote to memory of 1820	1664	dotnet8.exe	81
PID 1664 wrote to memory of 1820	1664	dotnet8.exe	81
PID 5116 wrote to memory of 1864	5116	msiexec.exe	85
PID 5116 wrote to memory of 1864	5116	msiexec.exe	85
PID 5116 wrote to memory of 1864	5116	msiexec.exe	85
PID 5116 wrote to memory of 1744	5116	msiexec.exe	86
PID 5116 wrote to memory of 1744	5116	msiexec.exe	86
PID 5116 wrote to memory of 1744	5116	msiexec.exe	86
PID 5116 wrote to memory of 2068	5116	msiexec.exe	87
PID 5116 wrote to memory of 2068	5116	msiexec.exe	87
PID 5116 wrote to memory of 2068	5116	msiexec.exe	87
PID 5116 wrote to memory of 2104	5116	msiexec.exe	88
PID 5116 wrote to memory of 2104	5116	msiexec.exe	88
PID 5116 wrote to memory of 2104	5116	msiexec.exe	88
PID 1820 wrote to memory of 2636	1820	windowsdesktop-runtime-8.0.10-win-x64.exe	89
PID 1820 wrote to memory of 2636	1820	windowsdesktop-runtime-8.0.10-win-x64.exe	89
PID 1820 wrote to memory of 2636	1820	windowsdesktop-runtime-8.0.10-win-x64.exe	89
PID 2636 wrote to memory of 3696	2636	windowsdesktop-runtime-8.0.2-win-x64.exe	90
PID 2636 wrote to memory of 3696	2636	windowsdesktop-runtime-8.0.2-win-x64.exe	90
PID 2636 wrote to memory of 3696	2636	windowsdesktop-runtime-8.0.2-win-x64.exe	90
PID 3696 wrote to memory of 2856	3696	windowsdesktop-runtime-8.0.2-win-x64.exe	91
PID 3696 wrote to memory of 2856	3696	windowsdesktop-runtime-8.0.2-win-x64.exe	91
PID 3696 wrote to memory of 2856	3696	windowsdesktop-runtime-8.0.2-win-x64.exe	91
PID 5116 wrote to memory of 1228	5116	msiexec.exe	92
PID 5116 wrote to memory of 1228	5116	msiexec.exe	92
PID 5116 wrote to memory of 1228	5116	msiexec.exe	92
PID 5116 wrote to memory of 2160	5116	msiexec.exe	93
PID 5116 wrote to memory of 2160	5116	msiexec.exe	93
PID 5116 wrote to memory of 2160	5116	msiexec.exe	93
PID 5116 wrote to memory of 3092	5116	msiexec.exe	94
PID 5116 wrote to memory of 3092	5116	msiexec.exe	94
PID 5116 wrote to memory of 3092	5116	msiexec.exe	94

C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Program Files\dotnet\dotnet.exe
  "dotnet" --version
  2⤵
  PID:640
- C:\Users\Admin\AppData\Local\Temp\dotnet8.exe
  "C:\Users\Admin\AppData\Local\Temp\dotnet8.exe" /passive /norestart
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Temp\{23993E88-6D3B-453F-ADAA-7DC839376FD1}\.cr\dotnet8.exe
    "C:\Windows\Temp\{23993E88-6D3B-453F-ADAA-7DC839376FD1}\.cr\dotnet8.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\dotnet8.exe" -burn.filehandle.attached=572 -burn.filehandle.self=584 /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\.be\windowsdesktop-runtime-8.0.10-win-x64.exe
      "C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\.be\windowsdesktop-runtime-8.0.10-win-x64.exe" -q -burn.elevated BurnPipe.{B62ED15D-CB39-40FA-B813-C20D0247F8C8} {24540083-32F6-4842-AEFB-DE7801445841} 1664
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d990096d-6282-42c5-8d16-71272c5be274} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{6453A9D3-959E-4037-A761-9288E8EAD499} {DCE5A2FD-6D15-4D30-AEB8-C3DFA76C46B7} 1820
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d990096d-6282-42c5-8d16-71272c5be274} -burn.filehandle.self=1036 -burn.embedded BurnPipe.{6453A9D3-959E-4037-A761-9288E8EAD499} {DCE5A2FD-6D15-4D30-AEB8-C3DFA76C46B7} 1820
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
        
        "C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe" -q -burn.elevated BurnPipe.{E6D7F4B8-F76D-4067-B988-2F093084A9AE} {02C53E15-20F5-4680-BCB5-C6AB7E43D940} 3696
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3CAAC86177349D6EF5D66BE2444EBA0D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1864
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8222213BB701ACA9210CCE7DF37FAB79
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F524C67B8D02979DF19A507B4F60C073
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3F8B15BFADF09487C953CFD97E86423
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2104
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 84358646F88C6956340073D4EFD5AF75
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1228
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4CD1FAD67AE54C79887C27347DEAE8DF
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4D119619ACC7843F8BAA370345D90367
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3092

C:\Program Files\Latite Injector\Latite Injector.exe
"C:\Program Files\Latite Injector\Latite Injector.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e587bc6.rbs

Filesize
48KB

MD5
a6ce57ca41c7d04f97b206deda8b6fec

SHA1
1371d82d59e5852f64237b2b1f988c427ee16d07

SHA256
953ceefd4cbe38f7212038d1d5af87eb56ffb03785a5247e4f90c65bb6527b25

SHA512
3634c8891d657771f4143a6a38e18dab9a98d0724c849fefe8b0f439fc50615abcd91dcd27753756d76726323fcb997f8ca94b404c56475a1b765946a27b8548

Download Submit
C:\Config.Msi\e587bcb.rbs

Filesize
9KB

MD5
409983fffb9d0569005d639366fc0d97

SHA1
cc6ecf22889992ded24355dbdb5e1fa2b9848f73

SHA256
6be68f62b13b19900698616df9e245b4b66074e70ffde235863c6471f977a786

SHA512
fceb0efec8f9dba58816950efa1289aefe6ff1787609190ea936539d61ca5989b3fa95e01581d0129adac30c195b9812f4307f5a0782ac08a9269e189125b071

Download Submit
C:\Config.Msi\e587bd0.rbs

Filesize
11KB

MD5
c55c68eda24c5376e4b6860a04efff23

SHA1
b4feb3eaec2c59f4a171e8fd0a091a5924e74a3c

SHA256
9600ba8987ac4f2b5f9caa8e4b910de9aaa499d14dba558faf1a9eb15b5bad5b

SHA512
5d8aa4a07d37d3a3dbfbe3cb8718ac20e79e0749000184d44eb790fd57b17c89487eb69498ead136a15ea231f22fb512119ef5d0706b5fb2c18c1781fecc3085

Download Submit
C:\Config.Msi\e587bd5.rbs

Filesize
8KB

MD5
7cbd7f6f7958f99ef08cdf43c4b070da

SHA1
a5c753718d8df39f3be84a3b0e3e6c8cf38f6b40

SHA256
dd09c48378d0773629db1c2f002afbb34e07834dcfdec7bc31090cc7f2355108

SHA512
af9ddd55341aaa952c9120103d5d0622d8580fa1e7c5c12e6f087a072fabc318f572f7b28aa341239a8679fb563fffce547707217da318a15ffbe7a44c129544

Download Submit
C:\Config.Msi\e587bd6.rbf

Filesize
143KB

MD5
33b4c87f18b4c49114d7a8980241657a

SHA1
254c67b915e45ad8584434a4af5e06ca730baa3b

SHA256
587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662

SHA512
42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

Download Submit
C:\Config.Msi\e587bd7.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e587bdb.rbs

Filesize
87KB

MD5
314598fc3052265a571fe0a5de25e7f6

SHA1
ed9dcfd313150d55b5af35d95f40ceccf74c4e42

SHA256
afbf4a991b380955b0707d9aaa6b3ba1bb99dcc1ed47f450c56646341296aba1

SHA512
c5d61dd64a5509bb369691070e650c7d930a463add279eba141ce442abdb9d0427b749cf8f69c4d3713fda80500174000778a8d4fe6b3d502b34ba6e6e219899

Download Submit
C:\Config.Msi\e587bdf.rbs

Filesize
131KB

MD5
3dc02ebf68781673ba8e90db16a66489

SHA1
a13bb0c5de67db6a8c286f078bcb81ab2b12889a

SHA256
bf980bc641edd8721f5b09c7c5ef6266c9ee88324baf852719ddb9402beba480

SHA512
cf8ca8d198bd4750a58f5d07a2cbe09395e50b05123beec765910317eb83ba5f62297ae25ac3e8b551e0216e5533646b93b14197e2156c100b19dafcce232d85

Download Submit
C:\Config.Msi\e587cfc.rbs

Filesize
8KB

MD5
e52edde60be585db9cf754395235a16d

SHA1
d9c0e6f4814f203a9ef43047d6441445ce0a61e2

SHA256
39b9485186769aba6f7fdcc87056b77a5f2a5544bc53358ed76f81271ed649fc

SHA512
e8dd04c2e04dc0c3153f00002a4a4f1e260d99759522c30dda55f06d55b740bcba705b910e21a5c40053468f859f33afeee01ec45a609c16db3fd25bb30fd5b8

Download Submit
C:\Config.Msi\e587d00.rbs

Filesize
85KB

MD5
acb2ceefc4ab3fd5e52262bd2285405c

SHA1
4d806fe29827f1e804988035fa73861a7e5d8f55

SHA256
2aaf054fddf6a7c121a5dae8be7914cf4f2a3c464349d8dcd894c468d2287c06

SHA512
53d293a65d4d619371c8fd761a724ebfdae67db31e51c17ea3eb39c91223ef1d3b9fd8098bdb2784ca2195c29de1488835ae0c78f92feaaa31884c7e9c484076

Download Submit
C:\Program Files\Latite Injector\Latite Injector.exe

Filesize
2.2MB

MD5
fa15f1293d1feef7b9fbdeaccb6ce325

SHA1
1ca35f1e31a1f8a9bbae399e6689dab69534bf94

SHA256
1a07535e8e962eb9de50da85f309741075ee0ff661332650e495aee2d72e4b4a

SHA512
6303292242bfab55b4f0a4313c843bb74b3ea9ddac647a775caa9f5242b8cc787b6b191e81d4a88d06a0a65024caaf5fea0c1541cdb4e2d983e43bae8f051d62

Download Submit
C:\Program Files\dotnet\host\fxr\8.0.10\hostfxr.dll

Filesize
342KB

MD5
92b9c5373c301e624c4159fa72c5e2e9

SHA1
69d9adff6556d60345c8d61f5aac5515e5f4c8ec

SHA256
eef3310770dd503494c4b1c917394db18f1eece1600638c881023c30902934f1

SHA512
409cbca9d63fd7c58f1f7c430892fbf01be31cac131981d0d88d7b847b7ef6f6fa51d9ecc878d81ac317aeefc0ab2300a124ee2a481ad697028763c674aa4b06

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\Microsoft.NETCore.App.deps.json

Filesize
28KB

MD5
9bd748d833114fb9c8ca18f2cfe03cec

SHA1
8e5062e7d56dcd4207c7e977abccd0c172b48142

SHA256
b46858a31acfec45ccfb3a42e1ba142316ded1bc4c2c569c0f62a48bf859c8e0

SHA512
ffa498619644095f3c47201f7769311251c2f540ee579a9b5f1d69e26e8a7229df197109fbf2f563d0a84291c07a408c3c63edbcb069de13e7e3bdbd65b967f3

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\Microsoft.NETCore.App.runtimeconfig.json

Filesize
53B

MD5
0828cc814843c0960554265cda859ef5

SHA1
0140385a9e76436a7f3fed45136462f3393b5cba

SHA256
ac377253f9f7cf9d6127d684369de36da123d992cdc2e17950e3c8bf9688df76

SHA512
22cbb29225f35cea4329a08be760420cab6ab7ea85628436b7518759e09acee8f382d79c800e5c8f6ba647ca98b32a35a3a52cc1cb5b9cbd2e3b20fa314d839a

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\coreclr.dll

Filesize
4.8MB

MD5
2f0b0927962c29a35744de52c3820b06

SHA1
a0f7bcb68daab2ca37809dcf2b7a67ce33b3d5d4

SHA256
b8962adcfb27934ff93f7fffe306e1f01b9342305e883443896204e24c68290b

SHA512
b96d09bae12c98f89c1e91bfd1eff526ba91fd006d711cc7c2ad2070e8799fb8ab279efb513de1d13ee272ee2f87ef6ac77f42fa1c64eeea6d8a4325518a903b

Download Submit
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.10\hostpolicy.dll

Filesize
384KB

MD5
061a29ca4f11abab79b7c49980294f06

SHA1
748913c97ca8dc00f7f0453bccaa5e7a7430c018

SHA256
d4d9db2cee70e6ad857188f12f92a0532be6f7fc7412851c8ed54afdc30ccbcd

SHA512
20646998b0b46de91e4f0ef0fabae17b605dffe7e9cdeb8135e129850222e161b120d80ef311e2d6cb6cdfff2743f6d25045f67c864cbf3deeac710c751ed1f8

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\Microsoft.WindowsDesktop.App.deps.json

Filesize
30KB

MD5
d203664256be3619cb5279aa40df44f6

SHA1
31e497841a332cdfa6930775af1f6f5600f93b2a

SHA256
2cc25090932e61c9189a9217a9a84ddb49661bc0761fc1692356e1272d2b2c29

SHA512
34d052404afc1feff31a3b8f961392c06136790d20accaf415a30406f9e7adc103ee5ab79b9f80caa9a5318fb816794cf76f8f246d376a5e781ea33c9d888b8d

Download Submit
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.10\Microsoft.WindowsDesktop.App.runtimeconfig.json

Filesize
183B

MD5
3e270b94ce5d92c713818daeeb66daab

SHA1
c2e9cdbd080ab6b5e3540355e5ece8809d10ca90

SHA256
755542731e1652c7cc2852b7a5113bb00464d846061a3c95148294301b461475

SHA512
14d5712a80ff42c050595d6bc8ff39152927130ab16f7fbb5d928d63ddddc9eb461fc3fc66a83021fa645fd9882b0bc78e76f60aff23573a8b1a75201ce1a9b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.10_(x64)_20241009001542_000_dotnet_runtime_8.0.10_win_x64.msi.log

Filesize
2KB

MD5
59e5bc67e0e900e2b0c3f1537574361d

SHA1
2c47bc1673e9265e2490617b98fb8491d267d875

SHA256
2c9e5ab075036e5538cbf26a1b80fb7ddb5c03a1e06886748c537fbd87ca90ef

SHA512
79173286724a78125d3245433b3e31ca7393ba547b51a7946211fbaa6f17f13405c96c668cdbef2e3c1ad15eacd6633781c623f56de3e4d36e0a2a424b1fe7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.10_(x64)_20241009001542_001_dotnet_hostfxr_8.0.10_win_x64.msi.log

Filesize
3KB

MD5
b9705fe0de7fb1e0d95e3ae94d45cb76

SHA1
d05bfa4828e99e06467d1cfaa58fe60ec0701c47

SHA256
7617bb779c3f9f34943d3746ba2a153416df7d0bc437e8c1e944d238d84dbd04

SHA512
88ea2fdd071aae3afe4dc17ea2738b69fc7dc6e0e01ef8d23bd185c881ffbb23311423e326ed1001e6650b07d44d978549736bf2e09e09b43e4809f77406e2f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.10_(x64)_20241009001542_002_dotnet_host_8.0.10_win_x64.msi.log

Filesize
3KB

MD5
6362def0dedbb15a4b5b343dfc7b4687

SHA1
51cac3e18023cee76271b10878a1310f3f5e298a

SHA256
b44c477439c259dd76d2d6b0af347c4dc3b8e502b3b77d36cd965ea70d588bd7

SHA512
74d7db2c8763e3cfd5695fb453f49b8f6a35228d486b0a727b950f95e73a1e56ae415f8d0f96c99d3b40e92c96d39a2af10205d538c16eb1c8dfa2822cc836ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.10_(x64)_20241009001542_003_windowsdesktop_runtime_8.0.10_win_x64.msi.log

Filesize
2KB

MD5
5a334b42368a865a8c8d93f78f7c9c87

SHA1
fce6ffec9785ef6eacf404c260fec6139374f93c

SHA256
290c779f63ac9a4ddcc488e476bbb9fe7fadad8f24192ba734a32d82b0cc9eb1

SHA512
1dd4385cc9f180b468c83344b2cb99669359fa5a77efd479ae98533749653b9f74a974cd4417dd9ad6a14f4bc487c552ca6ad8d6273cd0dbdb8f7fa6d73f6306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241009001553_000_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
3KB

MD5
0edd754d298c14d7681bb5a73e98cfb9

SHA1
aceacc897501e2936a8b40a33a38479305cc86ab

SHA256
dcc61874f7397fdb5edf170db2b07287d53c81cb66a558a84a1f1d8d2a05ab83

SHA512
14dee1732a41db357aa6ba8e0178aa08a0f469848c3ea49e54b48ccdba9edec377cd7a64a598c565743dca70d3a0b22d03964960e628ba1f0d16d454c97a8083

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241009001553_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
1KB

MD5
3cd8bd0d0516dd5e02d7a8ae2a921067

SHA1
112e25b21dbf5c9f775921728e589aacff535cbb

SHA256
4bf660928aac90d06adf8c2fb196ed001e5abc498f885f02f4c2965c173b43dd

SHA512
b3bb8b343da31ac1ad4fff1d707a3a7f1251e6581443b01a873778218541d6afd0710fa237f51275b35240564d2b2ade6a69fa825f08b9e9d7c041c288bd5f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241009001553_002_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
1KB

MD5
d89370606f0ff7cb4f05d602d55a6524

SHA1
ff4460e4af4ace3f64aebc968f4337b92f234bb4

SHA256
14bc224ab1dc2e5e607321f9746d541c77c28b6f80ed3b1bd86edc14f53f8455

SHA512
59ec0827f3828d19d8aac52c79ee9321d64b87eee5f06a2d226a9f8a1c04348b0f00171049537e45b751d7c09597509413b63361175ee021b70db973f2dd49bd

Download Submit
C:\Windows\Installer\MSI80F3.tmp

Filesize
244KB

MD5
60e8c139e673b9eb49dc83718278bc88

SHA1
00a3a9cd6d3a9f52628ea09c2e645fe56ee7cd56

SHA256
b181b6b4d69a53143a97a306919ba1adbc0b036a48b6d1d41ae7a01e8ef286cb

SHA512
ac7cb86dbf3b86f00da7b8a246a6c7ef65a6f1c8705ea07f9b90e494b6239fb9626b55ee872a9b7f16575a60c82e767af228b8f018d4d7b9f783efaccca2b103

Download Submit
C:\Windows\Installer\MSI90E9.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\dotnet_host_8.0.10_win_x64.msi

Filesize
780KB

MD5
45e3dbfa05670cd9ad05a87c03f80767

SHA1
7785fb6d4e010e2b8eeea4216fc34b14a756c2a0

SHA256
e84ce556c846e3a8098399d5b0f1897f8bc5c313bdd96bb23bf88b061ba60cd7

SHA512
ae9e2dc4d49ffbec56a348427054a13dbddb52e593b5d02a6ef7576998549f3daeea7c93834493d13ed71d1e63c54cf7d0d9438aa737a5ce97a402f961be0d2b

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\dotnet_hostfxr_8.0.10_win_x64.msi

Filesize
848KB

MD5
93e8c3e371cbe28b13ae13f8d5c7a5e0

SHA1
381254533ad6d63154df46178abcfb22ba609a1e

SHA256
09c1e0ebd10b715b090cb4c2d00a264a28da3d23597b734c59128875efbc9f01

SHA512
7b5e475a5d6cf40188bf80037527717218384a25ca73c40f109a9d1844bd80e3c73e3b3fcc7bf35cda6536c58b89e2d343fc95d25e847dee6733d822ae18d031

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\dotnet_runtime_8.0.10_win_x64.msi

Filesize
26.3MB

MD5
3bcfd17c48bfcc5137f3f50d8821e7e8

SHA1
55070570acc7e35c88265ef918a20cd16af7e30c

SHA256
4ce2c04c89a8ad7dc03a7ae29ec1a703457c6ff2b50435f250502d7cf5e00219

SHA512
b31b87887e07dfcec7e1381806fc2d837c7e232fc214dd9a7032bde864a4cecf9d4b60e520c304cdbe95b32bf331399c989665f5d3056b0a84149337e9525164

Download Submit
C:\Windows\Temp\{1F2095DE-619A-4419-924C-FAB3BECBEB46}\windowsdesktop_runtime_8.0.10_win_x64.msi

Filesize
29.1MB

MD5
685d357a0cb304cc073b75e069149155

SHA1
c63b913476494f49d8e903b58fac52b36effead4

SHA256
115f39d0f22ff31544d62a7b2282602408d8faec3f01e38ad5224a2c1fe1ecb7

SHA512
96fc385bf12f4b418a3ba4d64d9066129da8e659e555bb95d6ba8c087157c59e7fb14517ba3fb8c0540a87d8fdedc331d67d7ae5ea6e72bef3b7fd08bdf7513d

Download Submit
C:\Windows\Temp\{23993E88-6D3B-453F-ADAA-7DC839376FD1}\.cr\dotnet8.exe

Filesize
636KB

MD5
0eedb564a84f04611edd533f1c867dbc

SHA1
a1bdda599b7e8c0b94f50cc6da89535f0746907a

SHA256
7973697f73b87905a5170de0a6eacdee5447e879ee8efa8eae56b8fa4a80f004

SHA512
adbdbd12391490e18ab3c3d3c722e8ac5ce9aa3e2b83f80ce634024b3d010f109320c5e438652a51771a6907df4e36a25ca4ef5ad17f99f436b4e7443242add3

Download Submit
C:\Windows\Temp\{C0AC0E35-ACC9-4F89-891B-E820A88A4DFB}\.ba\1033\thm.wxl

Filesize
5KB

MD5
d5070cb3387a0a22b7046ae5ab53f371

SHA1
bc9da146a42bbf9496de059ac576869004702a97

SHA256
81a68046b06e09385be8449373e7ceb9e79f7724c3cf11f0b18a4489a8d4926a

SHA512
8fcf621fb9ce74725c3712e06e5b37b619145078491e828c6069e153359de3bd5486663b1fa6f3bcf1c994d5c556b9964ea1a1355100a634a6c700ef37d381e3

Download Submit
C:\Windows\Temp\{C0AC0E35-ACC9-4F89-891B-E820A88A4DFB}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
memory/2636-874-0x00000000001E0000-0x0000000000256000-memory.dmp

Filesize
472KB

Download
memory/2856-848-0x00000000001E0000-0x0000000000256000-memory.dmp

Filesize
472KB

Download
memory/3696-873-0x00000000001E0000-0x0000000000256000-memory.dmp

Filesize
472KB

Download
memory/4796-907-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4796-0-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4796-4-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4796-3-0x00000000745F0000-0x0000000074DA1000-memory.dmp

Filesize
7.7MB

Download
memory/4796-2-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/4796-1-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download