bf61725252e75a858aa9718fdb74a4be4f69c329c4d05942e38745fa0051a4ec

Analysis

max time kernel
54s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

121.5MB
MD5

91be6f42b8eff620680bb51261fe7b73
SHA1

7dd01bfdd49c7feba43c81f529655e26d3f3afcf
SHA256

bf61725252e75a858aa9718fdb74a4be4f69c329c4d05942e38745fa0051a4ec
SHA512

6401d344a2932adca3479ef6f02808def821353d7a4905785065be19ebc43ba0a393569991d15e32204698b5cee3acfe0454a999eb21b367881beef735191024
SSDEEP

3145728:NEDr31IQPzLxShJXBsORpRy7/LMQWp7Jv90ZWiJhqx:qr31IULxcCO87/LMvpV+ZVq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2328	ISBEW64.exe
2416	ISBEW64.exe
540	ISBEW64.exe
1468	ISBEW64.exe
1848	ISBEW64.exe
452	ISBEW64.exe
864	ISBEW64.exe
1880	ISBEW64.exe
332	ISBEW64.exe
1036	ISBEW64.exe
620	ISBEW64.exe
2100	ISBEW64.exe
816	ISBEW64.exe
1568	ISBEW64.exe
1244	ISBEW64.exe
1700	ISBEW64.exe
2576	ISBEW64.exe
2700	ISBEW64.exe
1724	ISBEW64.exe
2560	ISBEW64.exe
2740	ISBEW64.exe
3056	ISBEW64.exe
2508	ISBEW64.exe
1240	ISBEW64.exe
2464	ISBEW64.exe
2796	ISBEW64.exe
2852	ISBEW64.exe
3028	ISBEW64.exe
2932	ISBEW64.exe
1432	ISBEW64.exe
2664	ISBEW64.exe
1940	ISBEW64.exe
1956	ISBEW64.exe
1924	ISBEW64.exe
2900	ISBEW64.exe
1788	ISBEW64.exe
712	ISBEW64.exe
596	ISBEW64.exe
840	ISBEW64.exe
1772	ISBEW64.exe
1136	ISBEW64.exe
1340	ISBEW64.exe
1980	ISBEW64.exe
960	ISBEW64.exe
2584	ISBEW64.exe
2592	ISBEW64.exe
1664	ISBEW64.exe
2740	ISBEW64.exe
2480	ISBEW64.exe
2576	ISBEW64.exe
2452	ISBEW64.exe
2984	ISBEW64.exe
1620	ISBEW64.exe
1516	ISBEW64.exe
2820	ISBEW64.exe
2768	ISBEW64.exe
2648	ISBEW64.exe
2644	ISBEW64.exe
1592	ISBEW64.exe
876	ISBEW64.exe
2996	ISBEW64.exe
2284	ISBEW64.exe
2356	ISBEW64.exe
2896	ISBEW64.exe

Loads dropped DLL 64 IoCs

pid	Process
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
1312	MsiExec.exe
2572	MsiExec.exe
2572	MsiExec.exe
2572	MsiExec.exe
2572	MsiExec.exe
2572	MsiExec.exe
2572	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msxml4.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msxml4r.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_ASET_EPR_1A_1.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\LoggedDataMeta_4.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\SmartCardMeta_9.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\APAP.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\AutoSet_S10.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\x64\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Russian.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\HTML2PDFX\QtCore4.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Language_0816.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Plugins\PatientNotes.rpi	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\ResScan.crc	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\Spontaneous_Timed_S10.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\TherapyDef.xsd	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_AUTO_25_1A_5.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\LoggedDataMeta_2.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Korean.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_VP_STA_US_1A_12.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\Timed_V10.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\CPAP_PIONEER_REAL.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\VAuto_S9.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x64\Arabic.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Danish.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_ASETCSA_C_1A_11.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x64\Czech.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\ResMedUSBInstaller.exe	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Clinical.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\ReportSchemes\Detailed Data.rml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\x64\rmdvcpser.sys	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_HOSP_US_1A_1A.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_VPAPST_1A_7.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Language_041D.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\IVAPS_S9.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Greek.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Polish.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\HTML2PDFX\QtWebKit4.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_HOSP_1A_1B.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\OLE32.DLL	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\ReportSchemes\30 Day Compliance.rml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\CPAP_S9.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\Spontaneous_Timed_S100.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\Spontaneous_Timed_S9.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\HTML2PDFX\QtGui4.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_M36_V28_24_1C.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x64\Hungarian.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\ParametersMeta_5.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Italian.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_M36_V34_24_22.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\VCLBDE50.BPL	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\msvcrt40.dll	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\SmartCardMeta_3.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x86\Dutch.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_AST.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_M36_V26_24_1A.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Export.crc	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\XML_Metadata\data\LoggedDataMeta_8.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x64\Spanish.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\rmdvcp.inf	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\ReportSchemes\Device Log.rml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\Therapies\XML_Config\Spontaneous_Enhanced.xml	msiexec.exe
File created	C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\x64\Swedish.mst	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_VPAP_SAAP_1A_19.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_ELITE_EPR_1A_2.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_VPAP_ADPT_1A_D.txt	msiexec.exe
File created	C:\Program Files (x86)\ResMed\DeviceScan\DeviceMetadata\MetaData_S9_VP_ADPTUS_1A_10.txt	msiexec.exe

Drops file in Windows directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut1_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB61.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1D4.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfcm100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfcm100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut2_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfc100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfcm100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_atl100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\f76daa6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE013.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA91.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut4_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut3_434714C6586145669C575B6900D988AA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfc100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfc100u_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut2_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File created	C:\Windows\Installer\f76daa7.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f76daa7.mst	msiexec.exe
File created	C:\Windows\Installer\f76daa8.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_atl100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfc100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut4_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut7_3E2D623C006948F9A62843929026BC65.url	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\StellarDriverShortcu_434714C6586145669C575B6900D988AA.exe	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NexusDriverShortcut_434714C6586145669C575B6900D988AA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\StellarDriverShortcu_434714C6586145669C575B6900D988AA.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF108.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut7_3E2D623C006948F9A62843929026BC65.url	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut1_620FBBDF2E024F7BB163DAA546AC0D42.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut3_434714C6586145669C575B6900D988AA.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76daa6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\80EF5094FDAAE194CA73C50ECD703876\5.3.0\F_CENTRAL_mfcm100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File opened for modification	C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NexusDriverShortcut_434714C6586145669C575B6900D988AA.exe	msiexec.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000500000001c8b1-737.dat	nsis_installer_1
behavioral1/files/0x000500000001c8b1-737.dat	nsis_installer_2

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1600	msiexec.exe
1600	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1272	MSIEXEC.EXE
Token: SeRestorePrivilege	1600	msiexec.exe
Token: SeTakeOwnershipPrivilege	1600	msiexec.exe
Token: SeSecurityPrivilege	1600	msiexec.exe
Token: SeCreateTokenPrivilege	1272	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1272	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1272	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1272	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1272	MSIEXEC.EXE
Token: SeTcbPrivilege	1272	MSIEXEC.EXE
Token: SeSecurityPrivilege	1272	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1272	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1272	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1272	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1272	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1272	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1272	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1272	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1272	MSIEXEC.EXE
Token: SeBackupPrivilege	1272	MSIEXEC.EXE
Token: SeRestorePrivilege	1272	MSIEXEC.EXE
Token: SeShutdownPrivilege	1272	MSIEXEC.EXE
Token: SeDebugPrivilege	1272	MSIEXEC.EXE
Token: SeAuditPrivilege	1272	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1272	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1272	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1272	MSIEXEC.EXE
Token: SeUndockPrivilege	1272	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1272	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1272	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1272	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1272	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1272	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1272	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1272	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1272	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1272	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1272	MSIEXEC.EXE
Token: SeTcbPrivilege	1272	MSIEXEC.EXE
Token: SeSecurityPrivilege	1272	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1272	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1272	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1272	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1272	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1272	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1272	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1272	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1272	MSIEXEC.EXE
Token: SeBackupPrivilege	1272	MSIEXEC.EXE
Token: SeRestorePrivilege	1272	MSIEXEC.EXE
Token: SeShutdownPrivilege	1272	MSIEXEC.EXE
Token: SeDebugPrivilege	1272	MSIEXEC.EXE
Token: SeAuditPrivilege	1272	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1272	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1272	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1272	MSIEXEC.EXE
Token: SeUndockPrivilege	1272	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1272	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1272	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1272	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1272	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1272	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	1272	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2352	setup.exe
1272	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 2352 wrote to memory of 1272	2352	setup.exe	28
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1600 wrote to memory of 1312	1600	msiexec.exe	30
PID 1312 wrote to memory of 2328	1312	MsiExec.exe	31
PID 1312 wrote to memory of 2328	1312	MsiExec.exe	31
PID 1312 wrote to memory of 2328	1312	MsiExec.exe	31
PID 1312 wrote to memory of 2328	1312	MsiExec.exe	31
PID 1312 wrote to memory of 2416	1312	MsiExec.exe	32
PID 1312 wrote to memory of 2416	1312	MsiExec.exe	32
PID 1312 wrote to memory of 2416	1312	MsiExec.exe	32
PID 1312 wrote to memory of 2416	1312	MsiExec.exe	32
PID 1312 wrote to memory of 540	1312	MsiExec.exe	33
PID 1312 wrote to memory of 540	1312	MsiExec.exe	33
PID 1312 wrote to memory of 540	1312	MsiExec.exe	33
PID 1312 wrote to memory of 540	1312	MsiExec.exe	33
PID 1312 wrote to memory of 1468	1312	MsiExec.exe	34
PID 1312 wrote to memory of 1468	1312	MsiExec.exe	34
PID 1312 wrote to memory of 1468	1312	MsiExec.exe	34
PID 1312 wrote to memory of 1468	1312	MsiExec.exe	34
PID 1312 wrote to memory of 1848	1312	MsiExec.exe	35
PID 1312 wrote to memory of 1848	1312	MsiExec.exe	35
PID 1312 wrote to memory of 1848	1312	MsiExec.exe	35
PID 1312 wrote to memory of 1848	1312	MsiExec.exe	35
PID 1312 wrote to memory of 452	1312	MsiExec.exe	36
PID 1312 wrote to memory of 452	1312	MsiExec.exe	36
PID 1312 wrote to memory of 452	1312	MsiExec.exe	36
PID 1312 wrote to memory of 452	1312	MsiExec.exe	36
PID 1312 wrote to memory of 864	1312	MsiExec.exe	37
PID 1312 wrote to memory of 864	1312	MsiExec.exe	37
PID 1312 wrote to memory of 864	1312	MsiExec.exe	37
PID 1312 wrote to memory of 864	1312	MsiExec.exe	37
PID 1312 wrote to memory of 1880	1312	MsiExec.exe	38
PID 1312 wrote to memory of 1880	1312	MsiExec.exe	38
PID 1312 wrote to memory of 1880	1312	MsiExec.exe	38
PID 1312 wrote to memory of 1880	1312	MsiExec.exe	38
PID 1312 wrote to memory of 332	1312	MsiExec.exe	39
PID 1312 wrote to memory of 332	1312	MsiExec.exe	39
PID 1312 wrote to memory of 332	1312	MsiExec.exe	39
PID 1312 wrote to memory of 332	1312	MsiExec.exe	39
PID 1312 wrote to memory of 1036	1312	MsiExec.exe	40
PID 1312 wrote to memory of 1036	1312	MsiExec.exe	40
PID 1312 wrote to memory of 1036	1312	MsiExec.exe	40
PID 1312 wrote to memory of 1036	1312	MsiExec.exe	40
PID 1312 wrote to memory of 620	1312	MsiExec.exe	41
PID 1312 wrote to memory of 620	1312	MsiExec.exe	41
PID 1312 wrote to memory of 620	1312	MsiExec.exe	41
PID 1312 wrote to memory of 620	1312	MsiExec.exe	41
PID 1312 wrote to memory of 2100	1312	MsiExec.exe	42
PID 1312 wrote to memory of 2100	1312	MsiExec.exe	42
PID 1312 wrote to memory of 2100	1312	MsiExec.exe	42
PID 1312 wrote to memory of 2100	1312	MsiExec.exe	42
PID 1312 wrote to memory of 816	1312	MsiExec.exe	43
PID 1312 wrote to memory of 816	1312	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\ProgramData\{8359D236-A28B-4A64-9C3F-89537975F098}\ResScan.msi" TRANSFORMS="C:\ProgramData\{8359D236-A28B-4A64-9C3F-89537975F098}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9953F3D4035149A8E94DF557A5FC7BA1 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C16C6537-97E8-4F6E-A038-143096FC4DFC}
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41CEB023-070D-4CFD-BAAB-143EAEE7EC3B}
    3⤵
    - Executes dropped EXE
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66B70C45-2EE7-4011-B03B-A35FF603AED4}
    3⤵
    - Executes dropped EXE
    PID:540
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5A8A087-EFA0-49A9-B6F0-5F9CB907BDF8}
    3⤵
    - Executes dropped EXE
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19E5AFB5-4865-490B-AB08-497A4F3AC0C6}
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5D2E60E-0A0A-4743-9EF3-5DAAB2D0166D}
    3⤵
    - Executes dropped EXE
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{012BD53E-816B-4827-B962-3814BC791319}
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{15BFB3C9-77A8-402D-9F34-A763D459C541}
    3⤵
    - Executes dropped EXE
    PID:1880
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{478523E2-1DDA-4DFF-AC3C-04CA291B1464}
    3⤵
    - Executes dropped EXE
    PID:332
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33583EED-1235-4355-9165-1F3D2666D6D5}
    3⤵
    - Executes dropped EXE
    PID:1036
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F47A20B7-7AFB-4C6D-B7B1-E6E41870A413}
    3⤵
    - Executes dropped EXE
    PID:620
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5837F5F-EBB7-47B6-986D-6AEBFE3AC9D7}
    3⤵
    - Executes dropped EXE
    PID:2100
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{507A5A1A-8709-482A-A087-70C84BA55204}
    3⤵
    - Executes dropped EXE
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1EBDA438-04B9-4524-846E-26A42AF2BD82}
    3⤵
    - Executes dropped EXE
    PID:1568
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA0A8E38-7E06-4644-AF6B-683DA64FB5EF}
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E70A01F8-332F-4948-BB84-D05A332B79E7}
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{921A70FE-74BF-42A3-A781-0AD78ADDCBDF}
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{498C0849-C6EC-46CC-A7AE-572E5A549476}
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AAE6BBE-7F41-4E95-98EA-8E7E93D293C2}
    3⤵
    - Executes dropped EXE
    PID:1724
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F10A26A-B9E4-464A-A183-02EFDA64C53C}
    3⤵
    - Executes dropped EXE
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7410AD2D-72F4-4704-971A-4BAE23B88119}
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F3FE91E9-E0B5-4D2C-91EF-BC903D2F654B}
    3⤵
    - Executes dropped EXE
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B36F4FF1-0A85-4022-95E0-EADC33B1BDB3}
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C093793-2F7C-4E51-A423-148898BB7D8E}
    3⤵
    - Executes dropped EXE
    PID:1240
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7868E1E6-53F8-4BEE-9BFF-EF67944E0684}
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FF570DE5-1164-4518-8CC8-E063A27AEC6B}
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{35F9D744-479B-4F5B-B912-5C48F8E20C65}
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{114E84CE-39B8-4A91-9F38-73E53AD3FB2D}
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C917697-747A-47A7-9350-A48A6FA7B3D9}
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A546C14E-CE28-4024-8235-6D0F91BB563D}
    3⤵
    - Executes dropped EXE
    PID:1432
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F90240A7-859A-4E20-8502-C06E70193BB5}
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB395043-F603-4C8C-81C6-298DB2C59FB9}
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A996D383-808C-44F1-814F-08127D7F3C9F}
    3⤵
    - Executes dropped EXE
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3749900E-A6E5-4A6C-93D2-5678F8CADE84}
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{888AA696-95D0-4213-BE30-C7E537B6FA11}
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC52BE76-311F-4A5A-98CD-BF14E1384D75}
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B02A8B9-0AD6-4126-8150-6EE625370DAC}
    3⤵
    - Executes dropped EXE
    PID:712
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02F4CCF5-0642-48E3-AC81-E29D3213DFC5}
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96BE3338-E2EE-4802-A7AF-C0DF954261F9}
    3⤵
    - Executes dropped EXE
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{368ACD7B-D92C-4708-941E-1D9F23DBE372}
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F13C01D-B819-4AA3-8806-13A6DE62211C}
    3⤵
    - Executes dropped EXE
    PID:1136
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0AB62E57-8E99-4654-9BDD-B3E8FB7F82A0}
    3⤵
    - Executes dropped EXE
    PID:1340
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BFBDFE4A-8270-4F31-A408-699BAA5FE52D}
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F790B102-D33E-4AB1-86DB-9FD85655603E}
    3⤵
    - Executes dropped EXE
    PID:960
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C0A817A7C281813CEAE1D0B62733CF
  2⤵
  - Loads dropped DLL
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C783BA9D-4674-426A-803C-619541BD24E8}
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D7A46B8-1392-4FD6-9DD1-61B5227CCA79}
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{854D2BF7-2837-402B-963D-1C4D462A4CFF}
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{084A1CD3-972F-4DFF-ABB8-0F8D90D0DBA8}
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{150A249C-DA69-4DC9-9DD3-9F55D3D7EDF8}
    3⤵
    - Executes dropped EXE
    PID:2480
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B83DD7C-1DC9-4C2F-AC4B-0F55309BC8B1}
    3⤵
    - Executes dropped EXE
    PID:2576
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2BA10D4-B312-4CB3-98CF-0F377897B2D8}
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3F02D20A-7DC1-463E-B937-B1DD61B39AB0}
    3⤵
    - Executes dropped EXE
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D9A4C22D-BEE6-4621-B564-54CBD755ED74}
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{744F9C25-560E-4D7D-A802-28CF4AA6A87C}
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4CFD857F-4CE5-4E3A-9673-E074DCBBD946}
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBCBDFED-FAA3-44A4-BBDA-4E87362C2CE6}
    3⤵
    - Executes dropped EXE
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F73C611E-5FF3-498E-81F1-D25689C44CFB}
    3⤵
    - Executes dropped EXE
    PID:2648
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A242CE4-E67F-4F83-8719-A9DC995ED4F6}
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1176535-BF70-48AD-9C07-7B70DBB52398}
    3⤵
    - Executes dropped EXE
    PID:1592
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8240D0E3-6995-4015-AC19-3017B81ADB0B}
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBDA32C4-F2DA-4BE7-96B8-D17524D92E8D}
    3⤵
    - Executes dropped EXE
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7862E81C-8C69-40C9-975E-CCB58F46E536}
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D02F0F58-B0E9-4EE8-A2C3-89B61CC1AAA7}
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07806F0D-7584-47A5-82AE-CCAFC6AEF9D8}
    3⤵
    - Executes dropped EXE
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9D526A6D-3C45-462D-A6F8-50F1DB1696E5}
    3⤵
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{925148F8-CB35-4AD4-A836-F3EE413900CC}
    3⤵
    PID:488
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C1FA23BC-107A-49AC-AA0C-55FEE9B85F85}
    3⤵
    PID:2160
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCC0F077-4582-479C-9450-7CF7FD6052A3}
    3⤵
    PID:2208
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97052C53-B1CF-4741-9E14-C6A83398E92E}
    3⤵
    PID:1508
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3F2F3ADE-8AC6-4154-B9BF-B023B15A1170}
    3⤵
    PID:1860
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E0D2258-130F-41CB-9186-B97185F8D25A}
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8E266F08-BDBF-4953-AD29-C845531DB2C5}
    3⤵
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05622DEB-7404-4AC5-9EE3-4913D54FBC27}
    3⤵
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{741CEC5B-602A-4404-9CE2-29DDE85BBF07}
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{15A99206-ACB9-4E22-B561-493D3CF1B708}
    3⤵
    PID:2368
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E81ACC4F-3CC7-40CF-B48C-8551E3AC456E}
    3⤵
    PID:2092
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E499C063-2400-46DC-B92C-95DE89D5A4A4}
    3⤵
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CE4F6E71-BDFD-48E5-8E89-8BE06429A2F4}
    3⤵
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE42E8E6-0B8D-4ECE-9AEE-0DB6E9D7B708}
    3⤵
    PID:2168
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B131F45-109F-4E39-A375-9ABCD7F3DB6F}
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{973C627E-96F5-4ECA-962B-FA589CD50F77}
    3⤵
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{95518A63-8BFD-4554-9BCB-56EBC6AF7F35}
    3⤵
    PID:2692
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9F0B0DF-1CB5-4046-8C54-D02B8885E973}
    3⤵
    PID:2452
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C93A066C-0FE8-402E-AD1E-20B0C38B2D2C}
    3⤵
    PID:2080
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{32021A56-A940-42FF-8077-1391E6F2C719}
    3⤵
    PID:2848
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73E8D29F-F5B2-4BE9-9EAC-1ACAFFFFA87F}
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F604ADA3-2E32-4AD2-8E35-F68CD0FF78C9}
    3⤵
    PID:2948
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{300C2E5A-B5D1-4F68-8F30-608DD2C504C2}
    3⤵
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5549CA7-12A2-480F-BB44-40B0C3837C8C}
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B421955B-3BC1-4695-A8D8-DF7EE0F2C0E3}
    3⤵
    PID:2636
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C66652EC-ECB1-4BD4-9C42-7E73BBBB93E3}
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AAB546EA-6078-4332-B146-0CB2DAD4A6AD}
    3⤵
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9FF99D79-0810-4BD6-91E1-6F1987CDA6A4}
    3⤵
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77386067-0D69-439D-9007-CEB254B16A47}
    3⤵
    PID:268
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6A95FD88-96CB-4FD3-A939-AEEA19ECBC22}
    3⤵
    PID:2416
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5D64424B-FDFD-4213-97DA-9B1937D3BDA5}
    3⤵
    PID:1788
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87501C81-4B3D-4039-A134-8F07E9CC5359}
    3⤵
    PID:1688
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5324E97C-B400-4120-99E0-5E4F149CF021}
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BA695CE-B37E-45EC-A48F-A63B2906EFDE}
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B2BB845-DA1C-40C3-88CE-2C3CA92128D0}
    3⤵
    PID:2176
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBDC9861-64FC-456B-94C4-4282FA85C884}
    3⤵
    PID:1380
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0D09ABDF-888B-40DE-8F65-0EAFA88263F8}
    3⤵
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB57C2A7-B502-4CA0-B518-264BAA975F63}
    3⤵
    PID:300
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8277F0EA-FD90-4544-911B-486C3C382392}
    3⤵
    PID:1692
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E3E59E6-985B-4B01-B25E-E262B2F148AC}
    3⤵
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CDD4ADB9-AD0C-4DFF-8D02-C44A5C7221CF}
    3⤵
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5567DE7A-F72E-44D4-9675-4B4768DCB0E0}
    3⤵
    PID:2112
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6009D577-1FEA-448B-BD3B-322FB7E9D046}
    3⤵
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8310A154-A0AD-4828-8CE4-F6E01121029B}
    3⤵
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DD342FB-6DAC-4F29-B95F-857DBA48A5C3}
    3⤵
    PID:1852
- C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\ResMedUSBInstaller.exe
  "C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\ResMedUSBInstaller.exe"
  2⤵
  PID:1660
- C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\Setup.exe
  "C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\Setup.exe"
  2⤵
  PID:2624
- C:\Program Files (x86)\ResMed\ResScan3\Drivers\Stellar\setup_v1_10.exe
  "C:\Program Files (x86)\ResMed\ResScan3\Drivers\Stellar\setup_v1_10.exe"
  2⤵
  PID:2640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:332

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ResMed\ResScan3\Drivers\Data Card\Setup.exe

Filesize
230KB

MD5
489a51ceb8f8fe145fa3f19df02c8547

SHA1
e298babd51c16ad5f3b6ef628f6a7eb9d93ee2bc

SHA256
ee409c2d7caf7b183fe15de6a233af31bf9ec3d8deed9e20d5a638c4a138e675

SHA512
468304ba5be1198a07713963f7cd364c2e3b99057063c5fd7f4ca387f68f3bf941f13ebe1e5fb5918d979128e6e24382f82f97550636f4bb05fe1b7a2f5dc32a

Download Submit
C:\Program Files (x86)\ResMed\ResScan3\Drivers\ResMed USB Adapter\DrvDisk\ResMedUSBInstaller.exe

Filesize
128KB

MD5
d802840a0f5eed4cd6513a281d980427

SHA1
f18da7c3b3f247f652fe7efc34d65e1172dbb494

SHA256
16d23f1adc5401546f271e124a5748b03ef0ee97095b6b10c9d21b9ff87bbfed

SHA512
a52a8d9ad487f94173dfb2e0de5dd5ac0b28fd632d7bf8f564afecf02219725e514d21a7274d0a3ec00280309df1b1067eb8b86509dfea2fc4389ab92e094c1e

Download Submit
C:\Program Files (x86)\ResMed\ResScan3\Drivers\Stellar\setup_v1_10.exe

Filesize
52KB

MD5
d1e644c742489ff43de82c523cf1a078

SHA1
822fdfeaab51d74a3b00de49f2ed295b92b94f42

SHA256
da4bfdf7515f31b4582e6fa07616b53477cbbe8e7e6d243bdcd639a96468ff98

SHA512
75bd5f52e661afb41bf909406ccc8331ae14f3c300803f84ecf035abbd78a065cba5adcd4e853f5e42d5a871af12e98435928c46d797056c1d9e64d37c501307

Download Submit
C:\Program Files (x86)\ResMed\ResScan3\ResScan.exe

Filesize
408KB

MD5
a24ad7cc4622396d096bacee943a6a28

SHA1
f4361f497e769a58f15d196634ecb2244b784f64

SHA256
b54d4af378ce4366e4c7ba27ab141a69a44f1cfcbbc2f8a9e90afa88c5fd9e4f

SHA512
2a2aabcc0e5d47b1af815e65928ade53205cad49a084ae4501be02f760a85709f23b6240151b55d971c37f316d4acdfd6d59aa4b7c2f9bd763255331934b88bb

Download Submit
C:\ProgramData\{8359D236-A28B-4A64-9C3F-89537975F098}\1033.MST

Filesize
3KB

MD5
eb6ad94d9689c0493e8502ddd905d7c5

SHA1
9fc4ba8245b9912b425a287d788d659f0983cf00

SHA256
a7b11d94cf8097f8c28fe5aa02270a94bfa9aefb8a13c0fa082dbe052e6800b5

SHA512
386d1a3e7a0bae444e03eee0dab4e148c6afa03cb07007bef2d73daad3b36d4bb2fb76cd36cc29f4589a69ad344de8ebd1b11ec87b37b50985a7fdd7260d94c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6430.tmp

Filesize
57KB

MD5
c23d4d5a87e08f8a822ad5a8dbd69592

SHA1
317df555bc309dace46ae5c5589bec53ea8f137e

SHA256
6d149866246e79919bde5a0b45569ea41327c32ee250f37ad8216275a641bb27

SHA512
fa584655ae241004af44774a1f43508e53e95028ce96b39f8b5c62742f38acdf2b1df8871b468ac70c6043ca0e7ae8241bad2db6bc4f700d78471f12bb809e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI64AE.tmp

Filesize
141KB

MD5
edb88affffd67bca3523b41d3e2e4810

SHA1
0055b93907665fed56d22a7614a581a87d060ead

SHA256
4c3d85e7c49928af0f43623dcbed474a157ef50af3cba40b7fd7ac3fe3df2f15

SHA512
2b9d99c57bfa9ab00d8582d55b18c5bf155a4ac83cf4c92247be23c35be818b082b3d6fe38fa905d304d2d8b957f3db73428da88e46acc3a7e3fee99d05e4daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\iss512F.tmp

Filesize
2.1MB

MD5
d7697af0f79b34d6c4598a2ac1232493

SHA1
62c8fa35ae2d83c6ddcf35b86c504beab4dd9f3f

SHA256
ecb5ee5dea20ea607ffb1e60c44567f0a0b02f2370f0e9599d340b4745db5031

SHA512
d8c266e7ec5ee45cee4c5dfd7ef19ceea48c9508a2b885ef01140d8efa253b8b694f7c26225109bdb976f2e21a19e2332cd2566e60c15e838fbce62abbd9bdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISRT.dll

Filesize
262KB

MD5
5ecda0a54c4d9babcdb177d54f2e733d

SHA1
e98aa5abf7cc44b50fe6ca7c6b110bb04541fe5b

SHA256
e0926d6cbb4b4bbe673eec59325646ae8f2702e87584bf31dee28c385f45a32c

SHA512
45cb28462f6114765fcf831e2ae4ffc5fee1f59746e9e749106b7cf00b7967a788e5591da2a4e0a6e3ae52d60395d1d66be6112026709c33261c4ca839211616

Download Submit
C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\String1033.txt

Filesize
178KB

MD5
e3e95e4afab8a87588b6a56180942826

SHA1
f1339fa05cef465d3bc977b2591c4f0681011a0e

SHA256
c10875dfb6fc94cf18ef6a63b4e03b34b0083eb101aba5f4f32d9f61823713c7

SHA512
585b6dccb8e8b8cd8cd39c4a64d915aa41e2d5611b3728722bccf461cdd5214e507e5d7ea45f5e2ff647e7aaefe1f4e40ea8b559472d91ea875e5e32b548959e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\_isres_0x0409.dll

Filesize
546KB

MD5
ef9981e91f1e89f574c1fd5a9f33c104

SHA1
4a4d93250ea55f2fd8016019ffecbd346a9cf898

SHA256
baea8898b54c528eae355a970f9d78c95c26b3b2a8c500e3fb6766bc879037c3

SHA512
4c7a5e9a7082bcc893a6a3368be634c651a049448ac90884b710eb4fa1dc480d6c4e94db12fd9ada53e3a8cdefff0990d7dd0cab173009e45bba643f7d88fdd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\setup.inx

Filesize
260KB

MD5
0db3341864da1f9414cf3084a596938b

SHA1
1e052bd30449a1e78f53ebfe8db98c0a12f6cb66

SHA256
9a3ca55645484f031740a536e1409c3f0b3e570826d108849a869d99c4ba7f25

SHA512
f0049523bbd345dd63ea3232fc24fd99d0aebeece32e8d0f57c84817a0dd9e768589f26ef0d4cd186cbf7f5cff16de9b5ab3f8641ee506ea575f6afffeb182e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{50D0189D-909F-43A9-91EB-E5DE7C2F87D9}\IsConfig.ini

Filesize
555B

MD5
8740e198d9f4c0e929a9fc6178727d83

SHA1
8fa89e979892d356a7fe2a23823ea540041cb705

SHA256
3328408f6581fda1face57309f18c3eb9bb4c045eebbe35cbef36fdc01498376

SHA512
1e9a91ad2b91a5178f412baa70a7631b3ba83716f102e3143cdb04d091b2cd94a8bc1eb3ce3c94f0f07ba8a07fee11b650d3b9f51cb1511a1c4c2dda03db02f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{894B6BC3-7A2D-48C1-826A-794BC1A00976}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{894B6BC3-7A2D-48C1-826A-794BC1A00976}\_ISMSIDEL.INI

Filesize
5KB

MD5
c9ad63b624dac4dc589c5c6779110dd6

SHA1
fc57ff91974e8cbabbbb914a0c259f9360fadc77

SHA256
39a5019b228efdb9a4117799682eb4759a6b97063d9cdb82ff6ff4aeb51d8d0a

SHA512
ad1467ac561902d3a58e0204773a308a16651eb23bf8398c4135c69f208bf68fb40c88ef67d0b4636b99ed6b3ab1ef5906f62179d95075e803a8a19b769c8ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{894B6BC3-7A2D-48C1-826A-794BC1A00976}\_ISMSIDEL.INI

Filesize
5KB

MD5
11351b0c6327bd0bde14c95a7711ada4

SHA1
cce51eb9b43308ccc0ad773844030a49a38c608f

SHA256
3332cdf42e0f772718af81a56f98dcc3aa1a37ad41da01889d7d6048cd966812

SHA512
2dda92836a0d3939364218a50fb2250a9507163f2f45821d3158a4a19b3c4a17a65fd6c90119f5b976d237cf08a1147fd0d4ef4decc7ecb73841ca1e044ff4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~495F.tmp

Filesize
5KB

MD5
8658865ade67c15f9bc5b18c2428ce97

SHA1
8ad0bd57b43bb09525ffb533fa63dfbee8e2c2fc

SHA256
52f1b89800267ee691f03513b1478c9ef31a6036375e10868cc36cb88d8f40b2

SHA512
541623832180f72fb1657cb4783e07ca4c479c6da1af75b5d66a8cc75352e309289c7ff3ca52a62c54114f3d1ff3552a18f574f069cc4f70caec4f9ef605d803

Download Submit
C:\Users\Public\Documents\ResMed\ResScan3\Patients\Examples\Example, AirSense 10 AutoSet\20140727.rlk

Filesize
10.9MB

MD5
ee10c496437ff528d7e347f7f36994d5

SHA1
eb663c678863bc0842441c501c14780092b120fa

SHA256
5a9aa0ab23342f2e8cd87b7f4a0352c66d314801bc3f797c1f1fd72d96d50b59

SHA512
bb3f32093dcc98156c124470470cb774326ea8a4fb1e7dff36f0b1ab83f6b475bc7a2d492eb35a2ca2b3b56c01b754eba17a0997e616c55b69be78536f8d18b5

Download Submit
C:\Users\Public\Documents\ResMed\ResScan3\Patients\Examples\Example, VPAP Auto 25\20080421.rlk

Filesize
896KB

MD5
ee7afc28d73659795cd595133f189fc9

SHA1
0e82249224b30bf5ff182c3645af7b01104ec8f2

SHA256
d2b15f9c703c74aac7bdc8c292e7c96cb06eeb6d4e6d9a336d2590457110a9af

SHA512
5d538762e35865c4e7e05e983faecc3819c311e4c9b769c810dc6e500cf7a5db3bcbd9f1825925b31345c6690592e807c710e071c64c0af2ab77eaf0807f5d4a

Download Submit
C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\NewShortcut1_620FBBDF2E024F7BB163DAA546AC0D42.exe

Filesize
56KB

MD5
d2fa536114fb34359b802ef9fd3b5b02

SHA1
56b2bdc5a58db998e63679c676c6e513158d919a

SHA256
382bdc8a482d4ac2d4f37b64336d091c9f0cef6883e1c827fb80d1bffbaae706

SHA512
dc481dd164d43661b932bb4583964e0a92c09a88b0644783bd755ff5f276a6f347be361f19192e3ce628e89cc0d022e12711f7941e1611823ed86134b96eb995

Download Submit
C:\Windows\Installer\{4905FE08-AADF-491E-AC37-5CE0DC078367}\StellarDriverShortcu_434714C6586145669C575B6900D988AA.exe

Filesize
40KB

MD5
31ccd7991fcc9cd32080a9fa3f197504

SHA1
c7f785f1630def45d947f4029f13192a7e83710a

SHA256
a237b9209b387071014df1d4b69f369adff85c4b998ac5710f83cad3b4bb4c15

SHA512
02fac78123c18ae4217a601d3e4d09352834aa78b24ab6386397a561ee2b7800688739330f2c1177033299ad99dd029a52044f824ec2ed8b3adc604bdb725e36

Download Submit
\Users\Admin\AppData\Local\Temp\{406EDE3B-DD44-4E24-8BC7-9CF8D5162E15}\ISBEW64.exe

Filesize
148KB

MD5
962b85d5bc8945d80b4839e47efe8fdd

SHA1
3291792ee90594baa9083ef544779d6b550d3fec

SHA256
1b220c5a2f74162d7162ba241ad6c594aaf009cc1329429dcf2112e10477e2b5

SHA512
6a2c104a45cb9f11e9a6e2ba2674c03a8b1102ad2be25f1df3bde6af4933db475a6537b54a8d4086867a655f4067980b99dc4844230f7d2727af45dcf5a794ff

Download Submit
memory/1312-283-0x0000000002CB0000-0x0000000002D57000-memory.dmp

Filesize
668KB

Download
memory/1312-274-0x0000000002950000-0x00000000029F7000-memory.dmp

Filesize
668KB

Download
memory/1312-275-0x0000000002800000-0x0000000002889000-memory.dmp

Filesize
548KB

Download
memory/1312-185-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1312-206-0x0000000003140000-0x00000000031E7000-memory.dmp

Filesize
668KB

Download
memory/1312-209-0x0000000002E70000-0x0000000002EF9000-memory.dmp

Filesize
548KB

Download
memory/1312-236-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1312-278-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/1312-252-0x0000000003340000-0x00000000033E7000-memory.dmp

Filesize
668KB

Download
memory/1312-254-0x00000000028E0000-0x0000000002969000-memory.dmp

Filesize
548KB

Download
memory/1312-269-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-309-0x0000000002CE0000-0x0000000002D87000-memory.dmp

Filesize
668KB

Download
memory/2572-346-0x0000000002C60000-0x0000000002D07000-memory.dmp

Filesize
668KB

Download
memory/2572-328-0x0000000002FD0000-0x0000000003077000-memory.dmp

Filesize
668KB

Download
memory/2572-331-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-337-0x00000000031D0000-0x0000000003277000-memory.dmp

Filesize
668KB

Download
memory/2572-340-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-345-0x0000000002D50000-0x0000000002DD9000-memory.dmp

Filesize
548KB

Download
memory/2572-322-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-319-0x0000000003080000-0x0000000003109000-memory.dmp

Filesize
548KB

Download
memory/2572-318-0x0000000002FD0000-0x0000000003077000-memory.dmp

Filesize
668KB

Download
memory/2572-313-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-310-0x0000000000D50000-0x0000000000DD9000-memory.dmp

Filesize
548KB

Download
memory/2572-304-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download
memory/2572-301-0x0000000003180000-0x0000000003209000-memory.dmp

Filesize
548KB

Download
memory/2572-300-0x0000000002FD0000-0x0000000003077000-memory.dmp

Filesize
668KB

Download
memory/2572-295-0x0000000010000000-0x00000000101F2000-memory.dmp

Filesize
1.9MB

Download