Windows Analysis Report
EtEskr.exe

Overview

General Information

Sample name: EtEskr.exe
Analysis ID: 1524996
MD5: 891a35ef9a4c3b463013b62f888b3927
SHA1: c1482dc6f5db6149374fccdf4fcdae76f9b362f2
SHA256: 7f817123a5f3a6a0405f42f93c0213f5014043b42cb46b34430eeffe1a340e8c
Infos:

Detection

Babadeda
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (overwrites its own PE header)
Yara detected Babadeda
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Name Description Attribution Blogpost URLs Link
Babadeda According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: EtEskr.exe Avira: detected
Machine Learning detection for sample
Source: EtEskr.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AABD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree, 4_2_00AABD11
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AABAF6 DecryptFileW,DecryptFileW, 4_2_00AABAF6
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 4_2_00AD4C0F
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003ABD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree, 5_2_003ABD11
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003ABAF6 DecryptFileW,DecryptFileW, 5_2_003ABAF6
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003D4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 5_2_003D4C0F
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D5BAF6 DecryptFileW,DecryptFileW, 6_2_00D5BAF6
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D84C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 6_2_00D84C0F
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D5BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree, 6_2_00D5BD11
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D7BAF6 DecryptFileW,DecryptFileW, 9_2_00D7BAF6
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00DA4C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError, 9_2_00DA4C0F
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D7BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree, 9_2_00D7BD11

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\EtEskr.exe Unpacked PE file: 0.2.EtEskr.exe.400000.0.unpack
Uses 32bit PE files
Source: EtEskr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet\swidtag Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet\swidtag\Microsoft .NET Runtime - 8.0.8 (x64).swidtag Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.version Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.runtimeconfig.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.deps.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr\8.0.8 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\dotnet.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\ThirdPartyNotices.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA} Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\eula.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\LICENSE.txt Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\eula.rtf
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: System.Threading.Thread.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: System.Globalization.Calendars.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB4yU: source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.ni.pdb source: System.ComponentModel.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256UR= source: System.Threading.Thread.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.7.dr
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: System.Diagnostics.Contracts.dll.7.dr
Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: netstandard.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsG source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROW\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeATH=\Users\t source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.7.dr
Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.7.dr
Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdbSHA256 source: mscorlib.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: EtEskrivare.exe, 0000000F.00000002.1814506995.00007FF8E656F000.00000002.00000001.01000000.00000013.sdmp, coreclr.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.7.dr
Source: Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drive\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeTRING=Defaul" source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Formats.Tar.ni.pdb source: System.Formats.Tar.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBZ source: powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.7.dr
Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.7.dr
Source: Binary string: fuDLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86// source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.7.dr
Source: Binary string: ~ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows>yT1 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdb source: System.Resources.Reader.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 475f70.msi.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBs source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB?yT0 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: System.ComponentModel.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: System.Reflection.Emit.Lightweight.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdb source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
Source: Binary string: System.Threading.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: System.Dynamic.Runtime.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: System.Threading.Channels.ni.pdb source: System.Threading.Channels.dll.7.dr
Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source: Binary string: System.Drawing.Primitives.ni.pdb source: System.Drawing.Primitives.dll.7.dr
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.7.dr
Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.7.dr
Source: Binary string: ming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell6{\3 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.WebProxy.ni.pdb source: System.Net.WebProxy.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows] source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.7.dr
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: System.Formats.Tar.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsp source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: System.Text.Encoding.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: System.Threading.Timer.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ~:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows2zT> source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.7.dr
Source: Binary string: System.Memory.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: le4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(& source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdb source: System.Net.WebProxy.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.7.dr
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: System.IO.Compression.FileSystem.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdbxxxGCTL source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: System.Configuration.dll.7.dr
Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1799843422.00000133CEECF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F6000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799843422.00000133CEE90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: System.Security.Principal.Windows.dll.7.dr
Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdb source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdbSHA256& source: System.Security.Cryptography.Cng.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdbSHA256 source: System.Net.WebProxy.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdbSHA256 source: System.Resources.Reader.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsb{ source: powershell.exe, 00000011.00000002.1799843422.00000133CEF3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256PT# source: System.Runtime.Serialization.Json.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: System.Globalization.Calendars.dll.7.dr
Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdb source: mscorlib.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.7.dr
Source: Binary string: System.Reflection.DispatchProxy.ni.pdb source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: System.Security.Principal.Windows.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: System.IO.Compression.FileSystem.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdbSHA256b source: System.ValueTuple.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdbSHA256 source: System.Xml.XmlDocument.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256F source: System.Reflection.Extensions.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdb source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsc` source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616305982.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 475f70.msi.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qC:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 475f70.msi.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: System.Reflection.Emit.ILGeneration.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdbSHA256 source: System.Threading.Tasks.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.7.dr
Source: Binary string: dotnet-runtime-8.0.8-win-x64.exe:32:*28453093*EtEskrivare.deps.json:32:*222*EtEskrivare.dll:32:*2409*EtEskrivare.exe:32:*63645*EtEskrivare.pdb:32:*6414*EtEskrivare.runtimeconfig.json:32:*195*L source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdbSHA256 source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: netstandard.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: System.Data.DataSetExtensions.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.7.dr
Source: Binary string: ncfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Use4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdb source: System.Reflection.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.7.dr
Source: Binary string: DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFil source: powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\WindowsdowsdowsK source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: System.Threading.Timer.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\Windowsdowsdows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616774708.0000000000C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.7.dr
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.7.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E60000.00000004.00000020.00020000.00000000.sdmp, EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdbSHA256r source: System.Text.Encoding.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: System.Collections.NonGeneric.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsZ source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.7.dr
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdbSHA256 source: System.Reflection.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsRo` source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Channels\Release\net8.0\System.Threading.Channels.pdb source: System.Threading.Channels.dll.7.dr
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsx source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.7.dr
Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: powershell.exe, 00000011.00000002.1801555679.00000133CF208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: System.Reflection.Emit.ILGeneration.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: EtEskrivare.exe, 0000000F.00000002.1816366531.00007FF8F8525000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256^ source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exedotnet-runtime-8.0.8-win-x64.exe /qC:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: System.Diagnostics.Debug.dll.7.dr
Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.7.dr
Source: Binary string: ::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet E source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.7.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: c:
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A91700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 4_2_00A91700
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A93B2C FindFirstFileW,FindClose, 4_2_00A93B2C
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACC1FB FindFirstFileExW, 4_2_00ACC1FB
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AAB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 4_2_00AAB79F
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_00391700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 5_2_00391700
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003AB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 5_2_003AB79F
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_00393B2C FindFirstFileW,FindClose, 5_2_00393B2C
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CC1FB FindFirstFileExW, 5_2_003CC1FB
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 6_2_00D5B79F
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 6_2_00D41700
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D43B2C FindFirstFileW,FindClose, 6_2_00D43B2C
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7C1FB FindFirstFileExW, 6_2_00D7C1FB
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D63B2C FindFirstFileW,FindClose, 9_2_00D63B2C
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9C1FB FindFirstFileExW, 9_2_00D9C1FB
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D7B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 9_2_00D7B79F
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 9_2_00D61700
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2CD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 15_2_00007FF66CB2CD20
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B0910 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn, 15_2_00007FF8F85B0910
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C58B0 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn, 15_2_00007FF8FF5C58B0
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\ Jump to behavior

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll, type: DROPPED
Source: Yara match File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll, type: DROPPED
Source: Yara match File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll, type: DROPPED
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://7-zip.org/sdk.html
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://angular.io/license
Source: dotnet-runtime-8.0.8-win-x64.exe String found in binary or memory: http://appsyndication.org/2006/appsyn
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr String found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: 475f70.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 475f70.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: 475f70.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 475f70.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 475f70.msi.7.dr String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: 475f70.msi.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 475f70.msi.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: 475f70.msi.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 475f70.msi.7.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 475f70.msi.7.dr String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: 475f70.msi.7.dr String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://llvm.org
Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 475f70.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 475f70.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 475f70.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: 475f70.msi.7.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://opensource.org/licenses/MIT
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: System.Security.Principal.Windows.dll.7.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: powershell.exe, 00000011.00000002.1775869136.00000133B6E11000.00000004.00000800.00020000.00000000.sdmp, System.Security.Principal.Windows.dll.7.dr String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://sourceforge.net/projects/slicing-by-8/
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571589826.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000003.1570517105.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000003.1567966470.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677392852.000000000117D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677508523.000000000117E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1678099279.000000000114F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1570121590.000000000117D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677247150.0000000001520000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1570121590.000000000115D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1678216920.000000000117F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000003.1677480385.000000000114C000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1572901456.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672234596.000000000073D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1672689664.000000000073D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1671894909.0000000002860000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1662198412.000000000071E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672097034.000000000073D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://standards.iso.org/iso/19770/-2/2015/schema.xsd
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.xml.5.dr, thm.xml.11.dr String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: 475f70.msi.7.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000011.00000002.1801555679.00000133CF1E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.mono-project.com/docs/about-mono/
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.novell.com)
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.ookii.org/software/dialogs/
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.opensource.org/licenses/bsd-license.html.
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.ryanjuckett.com/
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: http://www.xamarin.com)
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674487308.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013B6000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/20-p2-rel-notes
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/20-p2-rel-notes">Release
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/20-p2-rel-notesi
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp, System.ComponentModel.TypeConverter.dll.7.dr String found in binary or memory: https://aka.ms/binaryformatter
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675697765.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674605915.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/dev-privacy
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/dev-privacy">Privacy
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619746413.0000000002AF0000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618136605.0000000000513000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/dotnet-cli-telemetry
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/dotnet-cli-telemetry">.NET
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-cli-telemetryy?
Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=&os
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/dotnet-docs
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/dotnet-docs">Documentation</A>
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-license-windo
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.000000000138F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/dotnet-license-windows
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/dotnet-license-windows">Licensing
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-license-windowsON9;
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-license-windowsl
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618036147.000000000051E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674946812.0000000001377000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1676296872.0000000003800000.00000004.00000800.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675599056.0000000001378000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp, thm.wxl10.11.dr, thm.wxl11.11.dr, thm.wxl13.5.dr, thm.wxl10.5.dr, thm.wxl.11.dr, thm.wxl3.11.dr, thm.wxl9.11.dr, thm.wxl11.5.dr, thm.wxl2.5.dr, thm.wxl9.5.dr, thm.wxl5.11.dr String found in binary or memory: https://aka.ms/dotnet-tutorials
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619304349.0000000000950000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675963103.0000000003290000.00000004.00000020.00020000.00000000.sdmp, thm.wxl3.5.dr String found in binary or memory: https://aka.ms/dotnet-tutorials">Tutorials</A>
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674694226.0000000001370000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675574720.0000000001370000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/dotnet-tutorialsX
Source: System.Security.Cryptography.dll.7.dr String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: EtEskrivare.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedDownload
Source: EtEskrivare.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedTo
Source: EtEskrivare.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould
Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet/download
Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet/downloadUsage:
Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet/info
Source: EtEskrivare.exe String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: powershell.exe, 00000011.00000002.1775869136.00000133B6E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: System.Data.Common.dll.7.dr String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: eula.rtf.11.dr String found in binary or memory: https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://arxiv.org/pdf/2102.06959.pdf
Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1671894909.0000000002860000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1670154868.0000000002CDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://dot.net/core
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1672689664.000000000070F000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000003.1672159912.000000000070C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dot.net/core:
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dot.net/coreL
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621736559.00000000006CF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000003.1621212291.00000000006CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dot.net/coreP
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675520651.0000000001348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dot.net/corej7
Source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1469104382.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616367866.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617063137.0000000000E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dot.net/corev
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/BurntSushi/aho-corasick
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/Microsoft/MSBuildLocator
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/Microsoft/RoslynClrHeapAllocationAnalyzer
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txt
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/LICENSE
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/src/ImageSharp
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/WojciechMula/sse4-strstr)
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt
Source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp, EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5C95000.00000020.00000001.01000000.00000014.sdmp, EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp, EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp, System.Diagnostics.Tools.dll.7.dr, System.Text.Encodings.Web.dll.7.dr, System.Xml.XmlSerializer.dll.7.dr, System.ComponentModel.TypeConverter.dll.7.dr, System.Drawing.Primitives.dll.7.dr, System.ComponentModel.dll.7.dr, System.IO.Compression.FileSystem.dll.7.dr, System.Threading.Timer.dll.7.dr, System.Runtime.Serialization.Json.dll.7.dr, System.Net.NetworkInformation.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Threading.Tasks.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime#~
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: System.ComponentModel.TypeConverter.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime/issues/50821
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: System.Resources.Reader.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime0
Source: System.Reflection.Extensions.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime7
Source: mscorlib.dll.7.dr, System.Configuration.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime;
Source: System.Dynamic.Runtime.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime?
Source: System.Diagnostics.Debug.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtimeI_#
Source: System.Globalization.Calendars.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtime_
Source: System.Reflection.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtimed5
Source: System.Diagnostics.Tools.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtimeiT
Source: netstandard.dll.7.dr String found in binary or memory: https://github.com/dotnet/runtimem
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/dotnet/templating/blob/main/build/nuget.exe
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc32_ieee_by4.asm
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc64_ecma_norm_by8
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/lemire/fastmod)
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/lemire/fastrange)
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/madler/zlib
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/microsoft/DirectXMath/blob/master/LICENSE
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/microsoft/msquic/blob/main/LICENSE
Source: System.Data.Common.dll.7.dr String found in binary or memory: https://github.com/mono/linker/issues/1187
Source: System.ComponentModel.TypeConverter.dll.7.dr, Microsoft.VisualBasic.Core.dll.7.dr, System.Reflection.DispatchProxy.dll.7.dr String found in binary or memory: https://github.com/mono/linker/issues/1731
Source: System.ComponentModel.TypeConverter.dll.7.dr String found in binary or memory: https://github.com/mono/linker/issues/1895v
Source: System.Data.Common.dll.7.dr String found in binary or memory: https://github.com/mono/linker/issues/1981
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp, Microsoft.VisualBasic.Core.dll.7.dr String found in binary or memory: https://github.com/mono/linker/issues/378
Source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp String found in binary or memory: https://github.com/mono/linker/pull/649
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/nigeltao/parse-number-fxx-test-data)
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3/blob/master/COPYING.txt
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://llvm.org/LICENSE.txt
Source: powershell.exe, 00000011.00000002.1796348903.00000133C6E7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://opensource.org/licenses/MIT
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://sindresorhus.com)
Source: 475f70.msi.7.dr String found in binary or memory: https://wixtoolset.org/
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://www.unicode.org/copyright.html.
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://www.unicode.org/license.html
Source: ThirdPartyNotices.txt.7.dr String found in binary or memory: https://zlib.net/zlib_license.html
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f6c.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI642F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI65A7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f6f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f6f.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI814E.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f70.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87B7.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{7FE24458-0796-4428-99C2-9A0F8DAB93CC} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8864.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f73.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f73.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8902.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f74.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8B45.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{3BA242F8-BDB5-4096-9FBC-333CD663BBAD} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8C11.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f77.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\475f77.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8E25.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe File deleted: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_0040E950 0_2_0040E950
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_004105E0 0_2_004105E0
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACF018 4_2_00ACF018
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD406A 4_2_00AD406A
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC71EE 4_2_00AC71EE
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC2299 4_2_00AC2299
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC2560 4_2_00AC2560
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC757C 4_2_00AC757C
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACA7B3 4_2_00ACA7B3
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC281B 4_2_00AC281B
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACEB90 4_2_00ACEB90
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC1C7D 4_2_00AC1C7D
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AB5D9B 4_2_00AB5D9B
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ABDE46 4_2_00ABDE46
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A97FA9 4_2_00A97FA9
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC1FEF 4_2_00AC1FEF
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CF018 5_2_003CF018
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003D406A 5_2_003D406A
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C71EE 5_2_003C71EE
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C2299 5_2_003C2299
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C757C 5_2_003C757C
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C2560 5_2_003C2560
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CA7B3 5_2_003CA7B3
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C281B 5_2_003C281B
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CEB90 5_2_003CEB90
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C1C7D 5_2_003C1C7D
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003B5D9B 5_2_003B5D9B
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003BDE46 5_2_003BDE46
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_00397FA9 5_2_00397FA9
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C1FEF 5_2_003C1FEF
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D65D9B 6_2_00D65D9B
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D8406A 6_2_00D8406A
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7F018 6_2_00D7F018
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D771EE 6_2_00D771EE
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D72299 6_2_00D72299
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7757C 6_2_00D7757C
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D72560 6_2_00D72560
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7A7B3 6_2_00D7A7B3
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7281B 6_2_00D7281B
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7EB90 6_2_00D7EB90
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D71C7D 6_2_00D71C7D
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D6DE46 6_2_00D6DE46
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D71FEF 6_2_00D71FEF
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D47FA9 6_2_00D47FA9
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00DA406A 9_2_00DA406A
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9F018 9_2_00D9F018
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D971EE 9_2_00D971EE
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D92299 9_2_00D92299
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9757C 9_2_00D9757C
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D92560 9_2_00D92560
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9A7B3 9_2_00D9A7B3
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9281B 9_2_00D9281B
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9EB90 9_2_00D9EB90
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D91C7D 9_2_00D91C7D
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D85D9B 9_2_00D85D9B
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D8DE46 9_2_00D8DE46
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D91FEF 9_2_00D91FEF
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D67FA9 9_2_00D67FA9
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2BD80 15_2_00007FF66CB2BD80
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2E650 15_2_00007FF66CB2E650
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2C810 15_2_00007FF66CB2C810
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2F010 15_2_00007FF66CB2F010
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2CD20 15_2_00007FF66CB2CD20
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB22DB0 15_2_00007FF66CB22DB0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB27290 15_2_00007FF66CB27290
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2AA70 15_2_00007FF66CB2AA70
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB230E0 15_2_00007FF66CB230E0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB244E0 15_2_00007FF66CB244E0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E8577520 15_2_00007FF8E8577520
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E8575F10 15_2_00007FF8E8575F10
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E857B180 15_2_00007FF8E857B180
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E857F660 15_2_00007FF8E857F660
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E857E400 15_2_00007FF8E857E400
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E8576EE0 15_2_00007FF8E8576EE0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E857C2B0 15_2_00007FF8E857C2B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F0D06DB0 15_2_00007FF8F0D06DB0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8475E50 15_2_00007FF8F8475E50
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83EB4C0 15_2_00007FF8F83EB4C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83FA940 15_2_00007FF8F83FA940
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D3970 15_2_00007FF8F83D3970
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E8970 15_2_00007FF8F83E8970
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8431900 15_2_00007FF8F8431900
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83DE930 15_2_00007FF8F83DE930
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8477920 15_2_00007FF8F8477920
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8470920 15_2_00007FF8F8470920
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C49D0 15_2_00007FF8F83C49D0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F840D9F4 15_2_00007FF8F840D9F4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D79F0 15_2_00007FF8F83D79F0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84139E0 15_2_00007FF8F84139E0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F8994 15_2_00007FF8F83F8994
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D6A50 15_2_00007FF8F83D6A50
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83FEA60 15_2_00007FF8F83FEA60
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8445AF0 15_2_00007FF8F8445AF0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83EFA98 15_2_00007FF8F83EFA98
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F841AAA4 15_2_00007FF8F841AAA4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E3BC8 15_2_00007FF8F83E3BC8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F1BE4 15_2_00007FF8F83F1BE4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8439C50 15_2_00007FF8F8439C50
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8436C70 15_2_00007FF8F8436C70
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8499C60 15_2_00007FF8F8499C60
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E4BF8 15_2_00007FF8F83E4BF8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8448CD0 15_2_00007FF8F8448CD0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F842CD4C 15_2_00007FF8F842CD4C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D8D38 15_2_00007FF8F83D8D38
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8460D50 15_2_00007FF8F8460D50
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F851CD70 15_2_00007FF8F851CD70
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F845DD20 15_2_00007FF8F845DD20
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C7E40 15_2_00007FF8F83C7E40
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F851AE6C 15_2_00007FF8F851AE6C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8444E44 15_2_00007FF8F8444E44
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84B3E68 15_2_00007FF8F84B3E68
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C1E1C 15_2_00007FF8F83C1E1C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8468ED8 15_2_00007FF8F8468ED8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8427E88 15_2_00007FF8F8427E88
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8512E78 15_2_00007FF8F8512E78
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84B4EB4 15_2_00007FF8F84B4EB4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83CCF10 15_2_00007FF8F83CCF10
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E7F20 15_2_00007FF8F83E7F20
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F846DFD0 15_2_00007FF8F846DFD0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8428FF4 15_2_00007FF8F8428FF4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83CEF7C 15_2_00007FF8F83CEF7C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8431F94 15_2_00007FF8F8431F94
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F849BF80 15_2_00007FF8F849BF80
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8448F80 15_2_00007FF8F8448F80
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F848BFB0 15_2_00007FF8F848BFB0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F851B07C 15_2_00007FF8F851B07C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F20B0 15_2_00007FF8F83F20B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8437140 15_2_00007FF8F8437140
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F845E170 15_2_00007FF8F845E170
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D8100 15_2_00007FF8F83D8100
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84B41C4 15_2_00007FF8F84B41C4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83CB180 15_2_00007FF8F83CB180
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84C2184 15_2_00007FF8F84C2184
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84101A0 15_2_00007FF8F84101A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83DB240 15_2_00007FF8F83DB240
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E5240 15_2_00007FF8F83E5240
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D324C 15_2_00007FF8F83D324C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E6260 15_2_00007FF8F83E6260
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F846C2B8 15_2_00007FF8F846C2B8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84672C0 15_2_00007FF8F84672C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84152F0 15_2_00007FF8F84152F0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83CE278 15_2_00007FF8F83CE278
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83D6338 15_2_00007FF8F83D6338
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84A0320 15_2_00007FF8F84A0320
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F849B390 15_2_00007FF8F849B390
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C4378 15_2_00007FF8F83C4378
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F03B0 15_2_00007FF8F83F03B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8480398 15_2_00007FF8F8480398
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84273A0 15_2_00007FF8F84273A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F851F458 15_2_00007FF8F851F458
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F840B47C 15_2_00007FF8F840B47C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F6564 15_2_00007FF8F83F6564
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8484570 15_2_00007FF8F8484570
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8478530 15_2_00007FF8F8478530
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E05B4 15_2_00007FF8F83E05B4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83CF600 15_2_00007FF8F83CF600
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F843D610 15_2_00007FF8F843D610
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8436600 15_2_00007FF8F8436600
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85205F8 15_2_00007FF8F85205F8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84506D4 15_2_00007FF8F84506D4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84716D4 15_2_00007FF8F84716D4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C26B8 15_2_00007FF8F83C26B8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F46C8 15_2_00007FF8F83F46C8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E26E8 15_2_00007FF8F83E26E8
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8447680 15_2_00007FF8F8447680
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F844476C 15_2_00007FF8F844476C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F847C770 15_2_00007FF8F847C770
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F850C718 15_2_00007FF8F850C718
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F848A7D0 15_2_00007FF8F848A7D0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83E67C0 15_2_00007FF8F83E67C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84277D4 15_2_00007FF8F84277D4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84087C0 15_2_00007FF8F84087C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F840B7C4 15_2_00007FF8F840B7C4
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F847B7F0 15_2_00007FF8F847B7F0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8452820 15_2_00007FF8F8452820
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83C68A0 15_2_00007FF8F83C68A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F841B898 15_2_00007FF8F841B898
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F859C140 15_2_00007FF8F859C140
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B22F0 15_2_00007FF8F85B22F0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85AF340 15_2_00007FF8F85AF340
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8583300 15_2_00007FF8F8583300
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F859AE00 15_2_00007FF8F859AE00
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A1690 15_2_00007FF8F85A1690
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A2E90 15_2_00007FF8F85A2E90
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8592F90 15_2_00007FF8F8592F90
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85AE8C0 15_2_00007FF8F85AE8C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B0910 15_2_00007FF8F85B0910
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85969A0 15_2_00007FF8F85969A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F858F990 15_2_00007FF8F858F990
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85AD260 15_2_00007FF8F85AD260
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85852EB 15_2_00007FF8F85852EB
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8593AB0 15_2_00007FF8F8593AB0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85893A0 15_2_00007FF8F85893A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8595BB0 15_2_00007FF8F8595BB0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B8410 15_2_00007FF8F85B8410
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A44B0 15_2_00007FF8F85A44B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A3D30 15_2_00007FF8F85A3D30
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85AA5C0 15_2_00007FF8F85AA5C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A5E50 15_2_00007FF8F85A5E50
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B1610 15_2_00007FF8F85B1610
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B8F30 15_2_00007FF8F85B8F30
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85A7790 15_2_00007FF8F85A7790
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8591860 15_2_00007FF8F8591860
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8587020 15_2_00007FF8F8587020
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85918B9 15_2_00007FF8F85918B9
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B58D0 15_2_00007FF8F85B58D0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85948A0 15_2_00007FF8F85948A0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B70B0 15_2_00007FF8F85B70B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C58B0 15_2_00007FF8FF5C58B0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5AFF70 15_2_00007FF8FF5AFF70
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5AC71E 15_2_00007FF8FF5AC71E
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5B3520 15_2_00007FF8FF5B3520
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5A2460 15_2_00007FF8FF5A2460
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C7340 15_2_00007FF8FF5C7340
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5CAF60 15_2_00007FF8FF5CAF60
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C4750 15_2_00007FF8FF5C4750
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5CD7C1 15_2_00007FF8FF5CD7C1
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5BFE40 15_2_00007FF8FF5BFE40
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5BE610 15_2_00007FF8FF5BE610
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C26C0 15_2_00007FF8FF5C26C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5AEDF0 15_2_00007FF8FF5AEDF0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5A8C70 15_2_00007FF8FF5A8C70
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5B74E0 15_2_00007FF8FF5B74E0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C3CD0 15_2_00007FF8FF5C3CD0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5CC350 15_2_00007FF8FF5CC350
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5D0310 15_2_00007FF8FF5D0310
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5BD3A0 15_2_00007FF8FF5BD3A0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F85AAA50 appears 50 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8FF5BE9F0 appears 61 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F85067E4 appears 66 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F85AADA0 appears 31 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F85AA9A0 appears 101 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F85AAB00 appears 96 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8FF5BEB50 appears 125 times
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: String function: 00007FF8F84C9C3C appears 166 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00A913B3 appears 503 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00AD53E7 appears 683 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00A929F6 appears 54 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00AD58CE appears 34 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00AD7952 appears 79 times
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00AC0B80 appears 33 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00DA53E7 appears 683 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D629F6 appears 54 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D90B80 appears 33 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D613B3 appears 503 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00DA58CE appears 34 times
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00DA7952 appears 79 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D858CE appears 34 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D413B3 appears 503 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D853E7 appears 683 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D429F6 appears 54 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D87952 appears 79 times
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 00D70B80 appears 33 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003D58CE appears 34 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003913B3 appears 503 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003D7952 appears 79 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003C0B80 appears 33 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003929F6 appears 54 times
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: String function: 003D53E7 appears 683 times
PE file does not import any functions
Source: System.Reflection.Emit.dll.7.dr Static PE information: No import functions for PE file found
Source: System.IO.Compression.ZipFile.dll.7.dr Static PE information: No import functions for PE file found
Source: System.Private.CoreLib.dll.7.dr Static PE information: No import functions for PE file found
Source: System.Text.Encoding.CodePages.dll.7.dr Static PE information: No import functions for PE file found
Source: System.IO.FileSystem.AccessControl.dll.7.dr Static PE information: No import functions for PE file found
Source: System.Security.Cryptography.dll.7.dr Static PE information: No import functions for PE file found
Source: System.Diagnostics.FileVersionInfo.dll.7.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameEtEskrivare.dll8 vs EtEskr.exe
Uses 32bit PE files
Source: EtEskr.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemAclExtensions.cs Security API names: fileInfo.GetAccessControl
Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.cs Security API names: ((CommonObjectSecurity)this).AddAccessRule
Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.cs Security API names: System.Security.AccessControl.FileSystemSecurity.GetAccessControlSectionsFromChanges()
Source: System.IO.FileSystem.AccessControl.dll.7.dr, FileSystemSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
Source: classification engine Classification label: mal80.troj.evad.winEXE@29/318@0/0
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A92A4C FormatMessageW,GetLastError,LocalFree, 4_2_00A92A4C
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A962C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 4_2_00A962C2
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003962C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 5_2_003962C2
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D462C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 6_2_00D462C2
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D662C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle, 9_2_00D662C2
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD76B2 GetModuleHandleA,GetLastError,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoCreateInstance,ExitProcess, 4_2_00AD76B2
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_004026B8 LoadResource,SizeofResource,FreeResource, 0_2_004026B8
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AB8718 ChangeServiceConfigW,GetLastError, 4_2_00AB8718
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Program Files\dotnet Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_03
Source: C:\Users\user\Desktop\EtEskr.exe File created: C:\Users\user\AppData\Local\Temp\4C80.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msi.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: version.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: wininet.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: comres.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: clbcatq.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msasn1.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: crypt32.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: feclient.dll 4_2_00A910E1
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 4_2_00A910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: `= 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: x= 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: version.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: wininet.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: comres.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: clbcatq.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: = 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: crypt32.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: feclient.dll 5_2_003910E1
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 5_2_003910E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msi.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: version.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: wininet.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: comres.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: clbcatq.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msasn1.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: crypt32.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: feclient.dll 6_2_00D410E1
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 6_2_00D410E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msi.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: version.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: wininet.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: comres.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: clbcatq.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: msasn1.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: crypt32.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: feclient.dll 9_2_00D610E1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Command line argument: cabinet.dll 9_2_00D610E1
Source: C:\Users\user\Desktop\EtEskr.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 475f70.msi.7.dr Binary or memory string: SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`WixDependencyRequireFailed to initialize.Failed to initialize the registry functions.ALLUSERSFailed to ensure required dependencies for (re)installing components.WixDependencyCheckFailed to ensure absent dependents for uninstalling components.WixDependencySkipping the dependency check since no dependencies are authored.Failed to check if the WixDependency table exists.Failed to initialize the unique dependency string list.Failed to open the query view for dependencies.Failed to get WixDependency.WixDependency.Failed to get WixDependencyProvider.Component_.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to get WixDependency.ProviderKey.Failed to get WixDependency.MinVersion.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.Attributes.Failed dependency check for %ls.Failed to enumerate all of the rows in the dependency query view.Failed to create the dependency record for message %d.Unexpected message response %d from user or bootstrapper application.Failed to get the ignored dependents.ALLFailed to check if "ALL" was set in IGNOREDEPENDENCIES.Skipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".WixDependencyProviderSkipping the dependents check since no dependency providers are authored.Failed to check if the WixDependencyProvider table exists.Failed to open the query view for dependency providers.Failed to get WixDependencyProvider.WixDependencyProvider.Failed to get WixDependencyProvider.Component.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Attributes.Failed dependents check for %ls.Failed to enumerate all of the rows in the dependency provider query view.;IGNOREDEPENDENCIESFailed to get the string value of the IGNOREDEPENDENCIES property.Failed to create the string dictionary.Failed to ignored dependency "%ls" to the string dictionary.c:\agent\_work\36\s\wix\src\ext\dependencyextension\ca\wixdepca.cppNot enough memory to create the message record.Failed to set the message identifier into the message record.Failed to set the number of dependencies into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the dependency key "%ls" into the messa
Source: dotnet-runtime-8.0.8-win-x64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dotnet-runtime-8.0.8-win-x64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dotnet-runtime-8.0.8-win-x64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: dotnet-runtime-8.0.8-win-x64.exe String found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: EtEskrivare.exe String found in binary or memory: %s App: %s Architecture: %s App host version: %s .NET location: %s Learn more: https://aka.ms/dotnet/app-launch-failed Download
Source: EtEskrivare.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: EtEskrivare.exe String found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
Source: EtEskrivare.exe String found in binary or memory: Learn more: https://aka.ms/dotnet/app-launch-failed To install missing framework, download: %s
Source: EtEskrivare.exe String found in binary or memory: --help
Source: EtEskrivare.exe String found in binary or memory: --help
Source: EtEskrivare.exe String found in binary or memory: -h|--help Displays this help.
Source: EtEskrivare.exe String found in binary or memory: -h|--help Displays this help.
Source: EtEskrivare.exe String found in binary or memory: Learn more:https://aka.ms/dotnet/app-launch-failedTo install missing framework, download:%s
Source: EtEskrivare.exe String found in binary or memory: %sApp: %sArchitecture: %sApp host version: %s.NET location: %sLearn more:https://aka.ms/dotnet/app-launch-failedDownload
Source: EtEskrivare.exe String found in binary or memory: Learn more:https://aka.ms/dotnet/app-launch-failedWould you like to download it now?
Source: unknown Process created: C:\Users\user\Desktop\EtEskr.exe "C:\Users\user\Desktop\EtEskr.exe"
Source: C:\Users\user\Desktop\EtEskr.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /q
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639
Source: unknown Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCB
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exe
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{90908595-DBF2-48E3-B425-27B7CE5D8A50} {A89BB288-DC86-46DD-9CDA-AF6EDBCB231B} 6500
Source: C:\Users\user\Desktop\EtEskr.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /q Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9E5D64A3023B24E1C83A523BE5C5639 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3909D66778F6C5107F8B15D5ECB299A6 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B854354A711E3251713D5F3210D22CCB Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log" Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: usoapi.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: feclient.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: propsys.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: edputil.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: urlmon.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: srvcli.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: netutils.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: sspicli.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: appresolver.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: bcp47langs.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: slc.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: userenv.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: sppc.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: mpr.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: pcacli.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: version.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: srclient.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: spp.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: powrprof.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: vssapi.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: vsstrace.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: umpdc.dll
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Section loaded: usoapi.dll
Source: C:\Users\user\Desktop\EtEskr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Window detected: Number of UI elements: 21
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Window detected: Number of UI elements: 21
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet\swidtag Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Directory created: C:\Program Files\dotnet\swidtag\Microsoft .NET Runtime - 8.0.8 (x64).swidtag Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\.version Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.runtimeconfig.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.NETCore.App.deps.json Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr\8.0.8 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\dotnet.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\LICENSE.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Directory created: C:\Program Files\dotnet\ThirdPartyNotices.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9ACB23DB-4D32-49ED-A5E3-F4E2F8D9D2AA} Jump to behavior
Source: EtEskr.exe Static file information: File size 28779520 > 1048576
Source: EtEskr.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b5ce00
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: System.Threading.Thread.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdbSHA256y source: System.Globalization.Calendars.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB4yU: source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.ni.pdb source: System.ComponentModel.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256UR= source: System.Threading.Thread.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdb source: System.Xml.XmlSerializer.dll.7.dr
Source: Binary string: System.IO.FileSystem.DriveInfo.ni.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb|||GCTL source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdb source: System.Reflection.Emit.Lightweight.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdbSHA256 source: System.Diagnostics.Contracts.dll.7.dr
Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdbSHA256 source: netstandard.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography\Release\net8.0-windows\System.Security.Cryptography.pdb source: System.Security.Cryptography.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsG source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initializecriptions8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROW\REGISTRY\\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeATH=\Users\t source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000246000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdb source: System.Runtime.Serialization.Json.dll.7.dr
Source: Binary string: System.Net.Security.ni.pdb source: System.Net.Security.dll.7.dr
Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdbSHA256 source: mscorlib.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscoree\coreclr\coreclr.pdb source: EtEskrivare.exe, 0000000F.00000002.1814506995.00007FF8E656F000.00000002.00000001.01000000.00000013.sdmp, coreclr.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.NonGeneric\Release\net8.0\System.Collections.NonGeneric.pdb source: System.Collections.NonGeneric.dll.7.dr
Source: Binary string: System.Net.Http.Json.ni.pdb source: System.Net.Http.Json.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drive\Registry\Machine\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_InitializeTRING=Defaul" source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621532910.00000000005A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Formats.Tar.ni.pdb source: System.Formats.Tar.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBZ source: powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Primitives\Release\net8.0-windows\System.Net.Primitives.pdb source: System.Net.Primitives.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.7.dr
Source: Binary string: System.Collections.Specialized.ni.pdb source: System.Collections.Specialized.dll.7.dr
Source: Binary string: fuDLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86// source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.7.dr
Source: Binary string: ~ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows>yT1 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdbSHA256 source: System.Diagnostics.Tools.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdb source: System.Resources.Reader.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixDepCA.pdb source: 475f70.msi.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdbSHA256@ source: System.Net.Requests.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBs source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB?yT0 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: System.ComponentModel.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdbSHA256 source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.Lightweight\Release\net8.0\System.Reflection.Emit.Lightweight.pdbSHA256 source: System.Reflection.Emit.Lightweight.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdb source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
Source: Binary string: System.Threading.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815663224.00007FF8F0D01000.00000020.00000001.01000000.0000001A.sdmp
Source: Binary string: /_/artifacts/obj/System.Dynamic.Runtime/Release/net8.0-windows/System.Dynamic.Runtime.pdbSHA256T/ source: System.Dynamic.Runtime.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Requests\Release\net8.0-windows\System.Net.Requests.pdb source: System.Net.Requests.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
Source: Binary string: System.Net.ServicePoint.ni.pdb source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: System.Threading.Channels.ni.pdb source: System.Threading.Channels.dll.7.dr
Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdbSHA256 source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source: Binary string: System.Drawing.Primitives.ni.pdb source: System.Drawing.Primitives.dll.7.dr
Source: Binary string: System.Net.NetworkInformation.ni.pdb source: System.Net.NetworkInformation.dll.7.dr
Source: Binary string: System.Reflection.Emit.ni.pdb source: System.Reflection.Emit.dll.7.dr
Source: Binary string: ming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell6{\3 source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.WebProxy.ni.pdb source: System.Net.WebProxy.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows] source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.ComponentModel.Primitives.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NetworkInformation\Release\net8.0-windows\System.Net.NetworkInformation.pdb source: System.Net.NetworkInformation.dll.7.dr
Source: Binary string: Microsoft.VisualBasic.Core.ni.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Formats.Tar\Release\net8.0-windows\System.Formats.Tar.pdb source: System.Formats.Tar.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: System.Configuration.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsp source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdb source: System.Text.Encoding.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XmlSerializer\Release\net8.0\System.Xml.XmlSerializer.pdbSHA256 source: System.Xml.XmlSerializer.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdbSHA256 source: System.Net.Security.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdbSHA256 source: System.IO.Pipes.AccessControl.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: System.Threading.Timer.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ~:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows2zT> source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Process\Release\net8.0-windows\System.Diagnostics.Process.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdb source: msquic.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdb source: System.Diagnostics.Debug.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb source: mscorrc.dll.7.dr
Source: Binary string: System.Memory.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.Win32.Primitives\Release\net8.0\Microsoft.Win32.Primitives.pdb source: EtEskrivare.exe, 0000000F.00000002.1809939574.000001E9160F2000.00000002.00000001.01000000.00000022.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Security\Release\net8.0-windows\System.Net.Security.pdb source: System.Net.Security.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: le4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(& source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdb source: System.Net.WebProxy.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets.Client\Release\net8.0\System.Net.WebSockets.Client.pdb source: System.Net.WebSockets.Client.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.Http.Json\Release\net8.0\System.Net.Http.Json.pdb source: System.Net.Http.Json.dll.7.dr
Source: Binary string: System.Runtime.InteropServices.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815219735.00007FF8E8551000.00000020.00000001.01000000.0000001B.sdmp
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdbSHA256 source: System.IO.Compression.FileSystem.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\fxr\standalone\hostfxr.pdbxxxGCTL source: EtEskrivare.exe, 0000000F.00000002.1817141427.00007FF8FF5DB000.00000002.00000001.01000000.00000011.sdmp, hostfxr.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256l8 source: System.Configuration.dll.7.dr
Source: Binary string: System.Net.WebSockets.ni.pdb source: System.Net.WebSockets.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1799843422.00000133CEECF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Console.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: EtEskrivare.exe, 0000000F.00000002.1809798300.000001E915FD2000.00000002.00000001.01000000.00000021.sdmp
Source: Binary string: System.IO.FileSystem.AccessControl.ni.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618799073.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000003.1618160355.00000000004EF000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F6000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1799843422.00000133CEE90000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbmmmGCTL source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617377212.0000000002DE0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.ServicePoint\Release\net8.0\System.Net.ServicePoint.pdb source: System.Net.ServicePoint.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Drawing.Primitives\Release\net8.0-windows\System.Drawing.Primitives.pdb source: System.Drawing.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Principal.Windows\Release\net8.0-windows\System.Security.Principal.Windows.pdb source: System.Security.Principal.Windows.dll.7.dr
Source: Binary string: C:\Users\revse\source\repos\EtEskrivare\EtEskrivare\obj\Debug\net8.0\EtEskrivare.pdb source: EtEskrivare.exe, 0000000F.00000002.1809730222.000001E915FC2000.00000002.00000001.01000000.00000020.sdmp
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdbSHA256& source: System.Security.Cryptography.Cng.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebProxy\Release\net8.0\System.Net.WebProxy.pdbSHA256 source: System.Net.WebProxy.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Resources.Reader/Release/net8.0-windows/System.Resources.Reader.pdbSHA256 source: System.Resources.Reader.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.Pipes.AccessControl\Release\net8.0-windows\System.IO.Pipes.AccessControl.pdb source: System.IO.Pipes.AccessControl.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSExecutionPolicyPreference=BypassPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsb{ source: powershell.exe, 00000011.00000002.1799843422.00000133CEF3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Serialization.Json\Release\net8.0\System.Runtime.Serialization.Json.pdbSHA256PT# source: System.Runtime.Serialization.Json.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Globalization.Calendars/Release/net8.0-windows/System.Globalization.Calendars.pdb source: System.Globalization.Calendars.dll.7.dr
Source: Binary string: /_/artifacts/obj/mscorlib/Release/net8.0-windows/mscorlib.pdb source: mscorlib.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Security.Cryptography.Cng/Release/net8.0-windows/System.Security.Cryptography.Cng.pdb source: System.Security.Cryptography.Cng.dll.7.dr
Source: Binary string: System.Reflection.DispatchProxy.ni.pdb source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: System.Security.Principal.Windows.ni.pdb source: System.Security.Principal.Windows.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.IO.Compression.FileSystem/Release/net8.0-windows/System.IO.Compression.FileSystem.pdb source: System.IO.Compression.FileSystem.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.NameResolution\Release\net8.0-windows\System.Net.NameResolution.pdb source: System.Net.NameResolution.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.ValueTuple/Release/net8.0-windows/System.ValueTuple.pdbSHA256b source: System.ValueTuple.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdbSHA256 source: System.Xml.XmlDocument.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256?) source: System.Runtime.InteropServices.RuntimeInformation.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Reflection.Extensions/Release/net8.0-windows/System.Reflection.Extensions.pdbSHA256F source: System.Reflection.Extensions.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdb source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Tools/Release/net8.0-windows/System.Diagnostics.Tools.pdb source: System.Diagnostics.Tools.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsc` source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616305982.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Private.CoreLib.ni.pdb source: EtEskrivare.exe, 0000000F.00000002.1812868156.00007FF8E5521000.00000020.00000001.01000000.00000014.sdmp
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\wixca.pdb source: 475f70.msi.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe"C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /qC:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Net.WebSockets.Client.ni.pdb source: System.Net.WebSockets.Client.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdbSHA256 source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\uica.pdb source: 475f70.msi.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdb source: System.Reflection.Emit.ILGeneration.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdbSHA256 source: System.Threading.Tasks.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1810043122.000001E916114000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.AccessControl\Release\net8.0-windows\System.IO.FileSystem.AccessControl.pdb source: System.IO.FileSystem.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Net.WebSockets\Release\net8.0-windows\System.Net.WebSockets.pdb source: System.Net.WebSockets.dll.7.dr
Source: Binary string: dotnet-runtime-8.0.8-win-x64.exe:32:*28453093*EtEskrivare.deps.json:32:*222*EtEskrivare.dll:32:*2409*EtEskrivare.exe:32:*63645*EtEskrivare.pdb:32:*6414*EtEskrivare.runtimeconfig.json:32:*195*L source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.DispatchProxy\Release\net8.0\System.Reflection.DispatchProxy.pdbSHA256 source: System.Reflection.DispatchProxy.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.TraceSource\Release\net8.0\System.Diagnostics.TraceSource.pdb source: System.Diagnostics.TraceSource.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Memory\Release\net8.0\System.Memory.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815410566.00007FF8E8571000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: powershell.exe, 00000011.00000002.1775778757.00000133B6AC3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/netstandard/Release/net8.0-windows/netstandard.pdb source: netstandard.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdbSHA256 source: System.Data.DataSetExtensions.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\hostpolicy\standalone\hostpolicy.pdb source: EtEskrivare.exe, 0000000F.00000002.1816730458.00007FF8F85C5000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: System.Net.NameResolution.ni.pdb source: System.Net.NameResolution.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.TypeConverter\Release\net8.0\System.ComponentModel.TypeConverter.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Data.DataSetExtensions/Release/net8.0-windows/System.Data.DataSetExtensions.pdb source: System.Data.DataSetExtensions.dll.7.dr
Source: Binary string: ncfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Use4 source: powershell.exe, 00000011.00000002.1775529567.00000133B5144000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdb source: System.Reflection.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections.Specialized\Release\net8.0\System.Collections.Specialized.pdb source: System.Collections.Specialized.dll.7.dr
Source: Binary string: DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFil source: powershell.exe, 00000011.00000002.1775529567.00000133B5140000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\WindowsdowsdowsK source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618442951.0000000000240000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: System.Threading.Timer.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsrs\userwindir=C:\Windowsdowsdows source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616774708.0000000000C70000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Text.Encodings.Web.ni.pdb source: System.Text.Encodings.Web.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdbMMMGCTL source: clrgc.dll.7.dr
Source: Binary string: System.Diagnostics.TraceSource.ni.pdb source: System.Diagnostics.TraceSource.dll.7.dr
Source: Binary string: C:\__w\1\s\artifacts\bin\windows\x64_Release_schannel\msquic.pdbbb6bUGP source: msquic.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.DriveInfo\Release\net8.0-windows\System.IO.FileSystem.DriveInfo.pdb source: System.IO.FileSystem.DriveInfo.dll.7.dr
Source: Binary string: C:\Users\user\AppData\Roaming\EtEskrivare.pdb source: EtEskr.exe, 00000000.00000003.1820842488.0000000003E60000.00000004.00000020.00020000.00000000.sdmp, EtEskr.exe, 00000000.00000003.1820842488.0000000003E68000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Diagnostics.Process.ni.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816088461.00007FF8F8371000.00000020.00000001.01000000.00000016.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit\Release\net8.0\System.Reflection.Emit.pdb source: System.Reflection.Emit.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.AccessControl\Release\net8.0-windows\System.Security.AccessControl.pdb source: System.Security.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\Microsoft.VisualBasic.Core\Release\net8.0-windows\Microsoft.VisualBasic.Core.pdb source: Microsoft.VisualBasic.Core.dll.7.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000000.1461134092.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621932204.0000000000ADE000.00000002.00000001.01000000.00000005.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000000.1462308540.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618609681.00000000003DE000.00000002.00000001.01000000.00000007.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1471849358.0000000000E50000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000000.1468484307.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1616930829.0000000000D8E000.00000002.00000001.01000000.0000000C.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000002.1571261458.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000009.00000000.1566788944.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000000.1569512535.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000A.00000002.1677887533.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000002.1675238127.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000000.1570510009.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000000.1661713635.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000015.00000002.1673797690.0000000000DAE000.00000002.00000001.01000000.0000000E.sdmp, dotnet-runtime-8.0.8-win-x64.exe.5.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1815869712.00007FF8F82D1000.00000020.00000001.01000000.00000018.sdmp, System.Console.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Text.Encoding/Release/net8.0-windows/System.Text.Encoding.pdbSHA256r source: System.Text.Encoding.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Collections.NonGeneric.ni.pdb source: System.Collections.NonGeneric.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Threading.Tasks/Release/net8.0-windows/System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: EtEskr.exe, 00000000.00000003.1457004333.0000000005F40000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1810367539.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp, EtEskrivare.exe, 0000000F.00000000.1622493019.00007FF66CB37000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsZ source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: b2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1618752014.00000000004A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617033843.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, EtEskrivare.exe, 0000000F.00000002.1809425032.000001E9146FC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1774953336.00000133B4F50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Security.Cryptography.ni.pdb source: System.Security.Cryptography.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Data.Common\Release\net8.0\System.Data.Common.pdb source: System.Data.Common.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.Contracts\Release\net8.0\System.Diagnostics.Contracts.pdb source: System.Diagnostics.Contracts.dll.7.dr
Source: Binary string: System.ComponentModel.TypeConverter.ni.pdb source: System.ComponentModel.TypeConverter.dll.7.dr
Source: Binary string: System.Net.Requests.ni.pdb source: System.Net.Requests.dll.7.dr
Source: Binary string: /_/artifacts/obj/System.Reflection/Release/net8.0-windows/System.Reflection.pdbSHA256 source: System.Reflection.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsRo` source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Channels\Release\net8.0\System.Threading.Channels.pdb source: System.Threading.Channels.dll.7.dr
Source: Binary string: \Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsx source: dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\gc\clrgc.pdb source: clrgc.dll.7.dr
Source: Binary string: :\Users\user\AppData\Roaming\ETESKR~1.PDB source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621814525.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617280358.00000000011E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encodings.Web\Release\net8.0\System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.7.dr
Source: Binary string: =::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppD source: powershell.exe, 00000011.00000002.1801555679.00000133CF208000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Xml.XmlDocument/Release/net8.0-windows/System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Emit.ILGeneration\Release\net8.0\System.Reflection.Emit.ILGeneration.pdbSHA256 source: System.Reflection.Emit.ILGeneration.dll.7.dr
Source: Binary string: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1622037561.00000000025A0000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619628146.0000000002780000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000005.00000002.1619425199.00000000009A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel.Primitives\Release\net8.0\System.ComponentModel.Primitives.pdb source: EtEskrivare.exe, EtEskrivare.exe, 0000000F.00000002.1816850376.00007FF8F8BB1000.00000020.00000001.01000000.00000017.sdmp, System.ComponentModel.Primitives.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\jit\clrjit.pdb source: EtEskrivare.exe, 0000000F.00000002.1816366531.00007FF8F8525000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: System.Security.AccessControl.ni.pdb source: System.Security.AccessControl.dll.7.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256^ source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exedotnet-runtime-8.0.8-win-x64.exe /qC:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exeWinsta0\Default=::=::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPROMPT=$P$GPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowso source: dotnet-runtime-8.0.8-win-x64.exe, 00000004.00000002.1621630198.00000000006B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: /_/artifacts/obj/System.Diagnostics.Debug/Release/net8.0-windows/System.Diagnostics.Debug.pdbSHA256 source: System.Diagnostics.Debug.dll.7.dr
Source: Binary string: System.Data.Common.ni.pdb source: System.Data.Common.dll.7.dr
Source: Binary string: ::\=C:=C:\Users\user\AppData\RoamingALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\Roamingb2eincfile1=C:\Users\user\AppData\Roaming\DOTNET~1.EXEb2eincfile2=C:\Users\user\AppData\Roaming\ETESKR~1.JSOb2eincfile3=C:\Users\user\AppData\Roaming\ETESKR~1.DLLb2eincfile4=C:\Users\user\AppData\Roaming\ETESKR~1.EXEb2eincfile5=C:\Users\user\AppData\Roaming\ETESKR~1.PDBb2eincfile6=C:\Users\user\AppData\Roaming\ETESKR~2.JSOb2eincfilecount=6b2eincfilepath=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet E source: dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000003.1616512485.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, dotnet-runtime-8.0.8-win-x64.exe, 00000006.00000002.1617142082.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: EtEskrivare.exe, 0000000F.00000002.1810003310.000001E916102000.00000002.00000001.01000000.00000023.sdmp
Source: Binary string: System.Net.Primitives.ni.pdb source: System.Net.Primitives.dll.7.dr

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\EtEskr.exe Unpacked PE file: 0.2.EtEskr.exe.400000.0.unpack
Yara detected Babadeda
Source: Yara match File source: EtEskr.exe, type: SAMPLE
Binary contains a suspicious time stamp
Source: EtEskrivare.dll.0.dr Static PE information: 0x88F8F208 [Mon Oct 27 09:51:04 2042 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen, 0_2_0040A83A
PE file contains sections with non-standard names
Source: EtEskr.exe Static PE information: section name: .code
Source: dotnet-runtime-8.0.8-win-x64.exe.0.dr Static PE information: section name: .wixburn
Source: dotnet-runtime-8.0.8-win-x64.exe.4.dr Static PE information: section name: .wixburn
Source: dotnet-runtime-8.0.8-win-x64.exe.5.dr Static PE information: section name: .wixburn
Source: dotnet-runtime-8.0.8-win-x64.exe.6.dr Static PE information: section name: .wixburn
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC0BC6 push ecx; ret 4_2_00AC0BD9
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ADCD63 push ecx; ret 4_2_00ADCD76
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C0BC6 push ecx; ret 5_2_003C0BD9
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003DCD63 push ecx; ret 5_2_003DCD76
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D70BC6 push ecx; ret 6_2_00D70BD9
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D8CD63 push ecx; ret 6_2_00D8CD76
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D90BC6 push ecx; ret 9_2_00D90BD9
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00DACD63 push ecx; ret 9_2_00DACD76
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E857286C push rsi; iretd 15_2_00007FF8E857286F
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8E8573481 push rdi; retf 15_2_00007FF8E8573494
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F82D3630 push rax; iretd 15_2_00007FF8F82D3631
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F82D21F8 push rcx; retf 15_2_00007FF8F82D2223
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8373A76 push rax; iretd 15_2_00007FF8F8373A79
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F837150C push rax; retf 0000h 15_2_00007FF8F837150D
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F83F50F4 push 2B41000Eh; iretd 15_2_00007FF8F83F50F9
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F8584A1B pushfq ; retf 15_2_00007FF8F8584A27
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5CCCF6 push rbp; retf 15_2_00007FF8FF5CCCF9
Source: System.Text.Encoding.CodePages.dll.7.dr Static PE information: section name: .text entropy: 7.522662314992507
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8E25.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dll Jump to dropped file
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dll Jump to dropped file
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\dotnet.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll Jump to dropped file
Source: C:\Users\user\Desktop\EtEskr.exe File created: C:\Users\user\AppData\Roaming\EtEskrivare.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll Jump to dropped file
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dll Jump to dropped file
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe File created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8B45.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll Jump to dropped file
Source: C:\Users\user\Desktop\EtEskr.exe File created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI642F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll Jump to dropped file
Source: C:\Users\user\Desktop\EtEskr.exe File created: C:\Users\user\AppData\Roaming\EtEskrivare.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8902.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI814E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe File created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI814E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI642F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8B45.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8E25.tmp Jump to dropped file
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8902.tmp Jump to dropped file
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI87B7.tmp Jump to dropped file
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\eula.rtf Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files\dotnet\LICENSE.txt Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe File created: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\eula.rtf
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802} Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802} Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802} Jump to behavior
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802} Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {d42cea76-6b02-403c-8fa9-b35c717db802}

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\EtEskr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Memory allocated: 1E915FA0000 memory reserve | memory write watch
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F848A4B0 rdtsc 15_2_00007FF8F848A4B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\EtEskr.exe Window / User API: threadDelayed 1029 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5881
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3765
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tools.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\netstandard.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Overlapped.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8E25.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\coreclr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Uri.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Contracts.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Specialized.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.TypeConverter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.DiagnosticSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Claims.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.ZipFile.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorlib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\WindowsBase.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NetworkInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.VisualC.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.IsolatedStorage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.CSharp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.NameResolution.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.ThreadPool.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.HttpUtility.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Reader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Csp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrgc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Memory.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Native.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Dataflow.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.Writer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Queryable.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Formatters.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Timer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Numerics.Vectors.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Extensions.dll Jump to dropped file
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Parallel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.DiaSymReader.Native.amd64.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.FileVersionInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TraceSource.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.Lightweight.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.CompilerServices.Unsafe.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Registry.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordaccore_amd64_amd64_8.0.824.36612.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encodings.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Channels.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.DataAnnotations.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.OpenSsl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.CoreLib.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Numerics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\hostpolicy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.AppContext.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.Common.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Requests.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ValueTuple.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\dotnet.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Cng.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.Local.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebSockets.Client.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Configuration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.AccessControl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Algorithms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Asn1.dll Jump to dropped file
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Dropped PE file which has not been started: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\wixstdba.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Buffers.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Drawing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscorrc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Ping.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Concurrent.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.TypeExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\mscordbi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.Immutable.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Http.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clrjit.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceProcess.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Metadata.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebHeaderCollection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.TextWriterTraceListener.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Transactions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Pipes.AccessControl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.StackTrace.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Tracing.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\clretwrc.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.HttpListener.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.SecureString.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.AccessControl.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebClient.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ObjectModel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.Emit.ILGeneration.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8B45.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Cryptography.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Thread.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.Core.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.RegularExpressions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Calendars.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Formats.Tar.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Parallel.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Resources.ResourceManager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Debug.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.NonGeneric.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.JavaScript.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Text.Encoding.CodePages.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Linq.Expressions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\createdump.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.ReaderWriter.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI642F.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.UnmanagedMemoryStream.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.Annotations.dll Jump to dropped file
Source: C:\Users\user\Desktop\EtEskr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\EtEskrivare.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Diagnostics.Process.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.ServicePoint.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Intrinsics.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI87B7.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Sockets.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Dynamic.Runtime.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.Windows.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Threading.Tasks.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.Watcher.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Mail.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.VisualBasic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Console.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Data.DataSetExtensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Loader.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.InteropServices.RuntimeInformation.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.DispatchProxy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Quic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.Principal.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI8902.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Runtime.Serialization.Json.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XmlSerializer.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\8.0.8\hostfxr.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.Security.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.Xml.Linq.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.Compression.Brotli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ComponentModel.EventBasedAsync.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Reflection.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Globalization.Extensions.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.ServiceModel.Web.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Private.DataContractSerialization.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Collections.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Net.WebProxy.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI814E.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\msquic.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\Microsoft.Win32.Primitives.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.XPath.XDocument.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.MemoryMappedFiles.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.IO.FileSystem.DriveInfo.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.8\System.Xml.Serialization.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Evaded block: after key decision
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Evaded block: after key decision
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe API coverage: 9.1 %
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe API coverage: 5.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\EtEskr.exe TID: 6440 Thread sleep count: 1029 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe TID: 4984 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800 Thread sleep count: 5881 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 800 Thread sleep count: 3765 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3412 Thread sleep time: -5534023222112862s >= -30000s
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\EtEskr.exe Thread sleep count: Count: 1029 delay: -25 Jump to behavior
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00AD5108h 4_2_00AD506D
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00AD5101h 4_2_00AD506D
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003D506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003D5108h 5_2_003D506D
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003D506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003D5101h 5_2_003D506D
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00D85108h 6_2_00D8506D
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00D85101h 6_2_00D8506D
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00DA506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00DA5108h 9_2_00DA506D
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00DA506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00DA5101h 9_2_00DA506D
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A91700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 4_2_00A91700
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A93B2C FindFirstFileW,FindClose, 4_2_00A93B2C
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACC1FB FindFirstFileExW, 4_2_00ACC1FB
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AAB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 4_2_00AAB79F
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_00391700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 5_2_00391700
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003AB79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 5_2_003AB79F
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_00393B2C FindFirstFileW,FindClose, 5_2_00393B2C
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CC1FB FindFirstFileExW, 5_2_003CC1FB
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 6_2_00D5B79F
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 6_2_00D41700
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D43B2C FindFirstFileW,FindClose, 6_2_00D43B2C
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7C1FB FindFirstFileExW, 6_2_00D7C1FB
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D63B2C FindFirstFileW,FindClose, 9_2_00D63B2C
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9C1FB FindFirstFileExW, 9_2_00D9C1FB
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D7B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose, 9_2_00D7B79F
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D61700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose, 9_2_00D61700
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB2CD20 GetFileAttributesExW,GetFullPathNameW,GetFullPathNameW,_invalid_parameter_noinfo_noreturn,GetFileAttributesExW,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,Concurrency::cancel_current_task, 15_2_00007FF66CB2CD20
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85B0910 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn, 15_2_00007FF8F85B0910
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5C58B0 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn, 15_2_00007FF8FF5C58B0
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ABFC6A VirtualQuery,GetSystemInfo, 4_2_00ABFC6A
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\AppData\Local\Temp\4C80.tmp Jump to behavior
Source: C:\Users\user\Desktop\EtEskr.exe File opened: C:\Users\user\ Jump to behavior
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: dotnet-runtime-8.0.8-win-x64.exe, 0000000B.00000003.1674487308.00000000013D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: powershell.exe, 00000011.00000002.1775869136.00000133B7038000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F848A4B0 rdtsc 15_2_00007FF8F848A4B0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00AC8567
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_0040A83A LoadLibraryW,GetProcAddress,wcscpy,wcscat,wcslen,CoTaskMemFree,FreeLibrary,wcscat,wcslen, 0_2_0040A83A
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC98C7 mov ecx, dword ptr fs:[00000030h] 4_2_00AC98C7
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ACCFDC mov eax, dword ptr fs:[00000030h] 4_2_00ACCFDC
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C98C7 mov ecx, dword ptr fs:[00000030h] 5_2_003C98C7
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003CCFDC mov eax, dword ptr fs:[00000030h] 5_2_003CCFDC
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D798C7 mov ecx, dword ptr fs:[00000030h] 6_2_00D798C7
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D7CFDC mov eax, dword ptr fs:[00000030h] 6_2_00D7CFDC
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D998C7 mov ecx, dword ptr fs:[00000030h] 9_2_00D998C7
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D9CFDC mov eax, dword ptr fs:[00000030h] 9_2_00D9CFDC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A950E9 GetProcessHeap,RtlAllocateHeap, 4_2_00A950E9
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_00409950 SetUnhandledExceptionFilter, 0_2_00409950
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_00409930 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 0_2_00409930
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC0469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00AC0469
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00AC8567
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC0934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00AC0934
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC0AC7 SetUnhandledExceptionFilter, 4_2_00AC0AC7
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C0469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_003C0469
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C8567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_003C8567
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C0934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_003C0934
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Code function: 5_2_003C0AC7 SetUnhandledExceptionFilter, 5_2_003C0AC7
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D70469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00D70469
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D78567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00D78567
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D70934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00D70934
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Code function: 6_2_00D70AC7 SetUnhandledExceptionFilter, 6_2_00D70AC7
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D90469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00D90469
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D98567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00D98567
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D90934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_00D90934
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Code function: 9_2_00D90AC7 SetUnhandledExceptionFilter, 9_2_00D90AC7
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB319C0 SetUnhandledExceptionFilter, 15_2_00007FF66CB319C0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB3167C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF66CB3167C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF66CB3181C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00007FF66CB3181C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F84C3DA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF8F84C3DA0
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85BD9BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF8F85BD9BC
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8F85BDB54 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00007FF8F85BDB54
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5D3FDC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00007FF8FF5D3FDC
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Code function: 15_2_00007FF8FF5D3E2C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00007FF8FF5D3E2C
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\EtEskr.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\4C80.tmp\4C81.tmp\4C82.bat C:\Users\user\Desktop\EtEskr.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe dotnet-runtime-8.0.8-win-x64.exe /q Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\EtEskrivare.exe EtEskrivare.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=664 -burn.filehandle.self=692 /q Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe "C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe" -q -burn.elevated BurnPipe.{1763F6A2-C2F4-42C9-8866-460ACDE3FA8E} {A5C335EB-CE59-4F47-9169-F2843E8F963C} 7076 Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "C:\Users\user\AppData\Local\Temp\Microsoft_.NET_Runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\Users\user\AppData\Roaming\EtEskrivare.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command " Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process Add-Printer -ConnectionName \\jkp-srv0016\SHARP-SMARTPRINT "
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "c:\users\user\appdata\local\temp\microsoft_.net_runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Process created: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe "c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.clean.room="c:\programdata\package cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=548 /quiet /burn.log.append "c:\users\user\appdata\local\temp\microsoft_.net_runtime_-_8.0.8_(x64)_20241003092550.log"
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD5D9B InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree, 4_2_00AD5D9B
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD80B4 AllocateAndInitializeSid,CheckTokenMembership, 4_2_00AD80B4
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AC0CF7 cpuid 4_2_00AC0CF7
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\Temp\{C6D76B1E-88AD-4EAE-8BC3-DDAF315F7917}\.cr\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.ba\bg.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
Source: C:\ProgramData\Package Cache\{d42cea76-6b02-403c-8fa9-b35c717db802}\dotnet-runtime-8.0.8-win-x64.exe Queries volume information: C:\Users\user\AppData\Local\Temp\{06E7DC8A-B849-4DE7-BE70-6356A189BCCF}\.ba\bg.png VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AA6BA2 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree, 4_2_00AA6BA2
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00AD506D EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection, 4_2_00AD506D
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00A97E8C GetUserNameW,GetLastError, 4_2_00A97E8C
Source: C:\Users\user\AppData\Roaming\dotnet-runtime-8.0.8-win-x64.exe Code function: 4_2_00ADBE87 GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime, 4_2_00ADBE87
Source: C:\Users\user\Desktop\EtEskr.exe Code function: 0_2_0040559A GetVersionExW,GetVersionExW, 0_2_0040559A
Source: C:\Windows\Temp\{E3D3D025-2D0A-482D-A950-2A2E2CFDD7F8}\.be\dotnet-runtime-8.0.8-win-x64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524996 Sample: EtEskr.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 80 76 Antivirus / Scanner detection for submitted sample 2->76 78 Yara detected Babadeda 2->78 80 Machine Learning detection for sample 2->80 82 Yara detected Generic Downloader 2->82 9 msiexec.exe 458 276 2->9         started        12 EtEskr.exe 14 2->12         started        15 dotnet-runtime-8.0.8-win-x64.exe 2->15         started        process3 file4 54 C:\Program Files\dotnet\...\netstandard.dll, PE32 9->54 dropped 56 C:\Program Files\dotnet\shared\...\System.dll, PE32 9->56 dropped 58 C:\Program Files\dotnet\...\System.Net.dll, PE32 9->58 dropped 66 186 other files (none is malicious) 9->66 dropped 17 msiexec.exe 9->17         started        19 msiexec.exe 9->19         started        21 msiexec.exe 9->21         started        60 C:\Users\user\AppData\...tEskrivare.exe, PE32+ 12->60 dropped 62 C:\Users\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 12->62 dropped 64 C:\Users\user\AppData\...tEskrivare.dll, PE32 12->64 dropped 88 Detected unpacking (overwrites its own PE header) 12->88 23 cmd.exe 1 12->23         started        25 dotnet-runtime-8.0.8-win-x64.exe 15->25         started        signatures5 process6 process7 27 EtEskrivare.exe 23->27         started        30 dotnet-runtime-8.0.8-win-x64.exe 3 23->30         started        33 conhost.exe 23->33         started        35 dotnet-runtime-8.0.8-win-x64.exe 25->35         started        file8 86 Bypasses PowerShell execution policy 27->86 37 powershell.exe 27->37         started        40 conhost.exe 27->40         started        72 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 30->72 dropped 42 dotnet-runtime-8.0.8-win-x64.exe 46 30->42         started        74 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 35->74 dropped 45 dotnet-runtime-8.0.8-win-x64.exe 35->45         started        signatures9 process10 file11 84 Loading BitLocker PowerShell Module 37->84 47 conhost.exe 37->47         started        68 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 42->68 dropped 70 C:\Windows\Temp\...\wixstdba.dll, PE32 42->70 dropped 49 dotnet-runtime-8.0.8-win-x64.exe 28 16 42->49         started        signatures12 process13 file14 52 C:\...\dotnet-runtime-8.0.8-win-x64.exe, PE32 49->52 dropped
No contacted IP infos