Malware Analysis Report

2025-04-14 03:37

Sample ID 240612-s3sanstgpq
Target SigmaXL_Version_10_Setup.msi
SHA256 d33e30f08fa2e2a19906054c40e7d19c7a34451026fd30b2072c91e720616222
Tags
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

d33e30f08fa2e2a19906054c40e7d19c7a34451026fd30b2072c91e720616222

Threat Level: Shows suspicious behavior

The file SigmaXL_Version_10_Setup.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary


Enumerates connected drives

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 15:39

Reported

2024-06-12 15:43

Platform

win11-20240508-en

Max time kernel

59s

Max time network

67s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SigmaXL_Version_10_Setup.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\Q: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\K: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\T: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\M: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\V: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\L: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\J: C:\Windows\system32\MSIEXEC.EXE N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\SigmaXL\V10\Sample Data\Attribute Data - U Chart Defects.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\TurboActivate.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_XYZ_Interp.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\1 Sample Equivalence - CI Mean.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Montgomery Table 9.1.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_ADBC_V7.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Chemical Process Concentration - Series A.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_RSM.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Taguchi\Taguchi L8 Seven Factor.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\C Chart Template.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_DMAIC_2016_Ribbon.xlam C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\One-Way Chi-Square Exact.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Customer Data.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_Tolerance_Interval.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\GageRRCharts.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Sample Size and Difference Worksheet.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\tbbmalloc.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Taguchi\Taguchi L27 Thirteen Factor.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\TurboActivate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\libiomp5md.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Attribute C ARL Calculator.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Conover Grass Type Experiment.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_DOE.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\DLIB\xyz_interp_761.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\2 Proportions Test CI.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Rare Events Prob G.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Stimulant Test.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\TurboActivate.x64.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\DLIB\signal.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Individuals.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Wafer Thickness.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Catapult DOE Data for Adv MReg.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\cityhash.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\DLIB\arima_stl.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\readstat.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_ANOM.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\GLM GageRR (Crossed) Metrics without Interaction.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Shewhart ARL Calculator.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\RSM Example - Cake Bake Data for Adv MReg.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_Forecast.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\EWMA ARL Calculator JN.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\G Chart Template.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\GLM GageRR (Nested) Metrics.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\g.gkf C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\EWMA ARL Calculator.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\FMEA_V8.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_Descriptive.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Taguchi\Taguchi L9 Four Factor.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\1 Proportion Test CI.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Mobile Cellular Subscriptions per 100 people by Region and Year.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\zlib.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Taguchi\Taguchi L16 Eight Factor.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Monthly Airline Passengers - Modified for Control Charts.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Taguchi\Taguchi L8 Six Factor.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Attribute Data.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\Sample Data\Monthly Airline Passengers - Missing Values.xlsx C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_ARL.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\SigmaXL_GE_Gage_linearity_Bias.gcg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\1 Poisson Rate Test CI.xlsm C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\SigmaXL_DMAIC_2016_Ribbon.xlam C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\TurboActivate.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SigmaXL_Support_Files\xls.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\SigmaXL\V10\SXL_Stats\Attribute MSA.xlsm C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI63E5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\UNINST_Uninstall_S_86A8AA8FC5374446B85D3419441965DB.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e586243.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58623f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8FC20039-94AD-47B5-8C24-8CFD0B7B2069} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF2D0DCCC3BA46E844.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58623f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\ARPPRODUCTICON.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\UNINST_Uninstall_S_86A8AA8FC5374446B85D3419441965DB.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\NewShortcut10_B9C4D019D8C042959C28E61D4368901B.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\NewShortcut10_B9C4D019D8C042959C28E61D4368901B.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\NewShortcut11_630B57E167964E56A130CD36498C0FE7.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6648.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI6A50.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\NewShortcut11_630B57E167964E56A130CD36498C0FE7.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF83678F7B4237667D.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF6857A590A526C08E.TMP C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SystemTemp\~DF152BD4CFD4B54B68.TMP C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EB889732E30533E49BDE05F6A645B524\93002CF8DA495B74C842C8DFB0B70296 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{AA7A84DF-16EB-4C0D-BB6E-3D3693A63EC4}\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Downloaded Installations\\{AA7A84DF-16EB-4C0D-BB6E-3D3693A63EC4}\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\93002CF8DA495B74C842C8DFB0B70296 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\ProductIcon = "C:\\Windows\\Installer\\{8FC20039-94AD-47B5-8C24-8CFD0B7B2069}\\ARPPRODUCTICON.exe" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\93002CF8DA495B74C842C8DFB0B70296\Excel_x64 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\PackageCode = "FD48A7AABE61D0C4BBE6D363396AE34C" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EB889732E30533E49BDE05F6A645B524 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\AuthorizedLUAApp = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\PackageName = "SigmaXL_Version_10_64-Bit.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\SourceList\Media\1 = "DISK1;1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\ProductName = "SigmaXL" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\Version = "167903232" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\93002CF8DA495B74C842C8DFB0B70296\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4248 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4248 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4164 wrote to memory of 1136 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1136 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1160 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1160 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 892 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 892 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 5080 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 5080 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 3656 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 3656 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 4216 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 4216 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1644 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 4764 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 4764 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe
PID 4164 wrote to memory of 4592 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe
PID 4164 wrote to memory of 4592 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe
PID 4164 wrote to memory of 4592 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe
PID 4592 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe
PID 4592 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe
PID 4592 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe
PID 780 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe C:\Windows\system32\MSIEXEC.EXE
PID 780 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe C:\Windows\system32\MSIEXEC.EXE
PID 4248 wrote to memory of 2772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4248 wrote to memory of 2772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4248 wrote to memory of 2772 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2772 wrote to memory of 2324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 2324 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 1696 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 1696 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4624 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4624 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 2640 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 2640 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 872 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4544 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4544 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4412 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 4412 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 2508 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 2508 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 1412 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 2772 wrote to memory of 1412 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe
PID 780 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe C:\Windows\SysWOW64\cmd.exe
PID 780 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SigmaXL_Version_10_Setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 7B1564D62A21318F8F885397B4AE4646 U

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{24EDE6C2-3FD4-4D0E-88A5-0FF4F1B7EC51}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10A04516-BC9D-4699-9146-99E390827917}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3652401E-D09C-40D4-B9BE-3D50051E0A7E}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5EFC7E4-B8B2-4159-9F4B-854F0813C77C}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{80115D54-1C42-40A0-8BB5-9AE52C100F2C}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0FEC10DB-BC4A-4842-B9DC-5DB124DE89D0}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82058BBB-7157-491C-A99A-262D073C0F04}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8040AACB-2267-4434-96A7-C126E9520369}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7DA6F577-F1C9-4E39-8090-2638FFDD2A23}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{103F8B32-50FE-4FED-8F7A-7314891B93E2}

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe

"C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe" /s /v/qn /V"AUTOLOADPLUGIN=FALSE"

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\SigmaXL_Version_10_64-Bit.exe /q"C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\SigmaXL_Version_10_64-Bit.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}" /s /v/qn /V"AUTOLOADPLUGIN=FALSE" /IS_temp

C:\Windows\system32\MSIEXEC.EXE

"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{AA7A84DF-16EB-4C0D-BB6E-3D3693A63EC4}\SigmaXL_Version_10_64-Bit.msi" /qn AUTOLOADPLUGIN=FALSE SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}" SETUPEXENAME="SigmaXL_Version_10_64-Bit.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2F09C2164A4AA0782E9B23C8B9330F2D

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{108FA52B-ADB3-4922-9FE2-BEEB4A53BEAF}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E82868D-6056-436C-8D74-6A44B4F7E5B0}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BA5B277-039A-4D74-ACBD-DAA55D5126F3}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4EB9993-C998-4D14-8B8A-899AC56E0F9B}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8958F86-4083-44BD-A6E7-7E0BA2DC5700}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C1951B9-8510-4989-931A-B800425E0F71}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{267064DC-DC63-4883-8BD9-F98C0A6ABD01}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3964F179-1123-4E71-B20B-731F8D4765D0}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3DB90828-6912-4962-AD89-F452B930F0C7}

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8D99768F-DFB7-438C-A3A0-7153AFD734DD}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI10835\ISSetup.dll

MD5 252f6bdb4866cd1b8b3d503015f3123b
SHA1 239ac836065ec18b258968404fa27cf93138d329
SHA256 470be2fcc8b45984543a92a9cb00608fea561390e60faeee79925315ccab6f47
SHA512 b922e5194976dce6a33891f3b3e0ea27979aaa72bcca37c3573f7c08485de1f0ad16f211787ebbaedc4bd69a0f969edd0ee8a17f12b810c0d8bf40c06c1ac827

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISSetupFilesHelper.dll

MD5 a18a877af745547c52be37224ad1e989
SHA1 7feb6233b02fc965d24ac55e2f154f925bff837b
SHA256 fe00005797dd4ddd1d029065997a07003d21c71857a93af09781bcaf30dfe4ff
SHA512 9e684b98f488ffaed061f5ae3a1a639b60c008296e7610c0b9dccf448ef23d32553be02f41f03e63e949dde13d2f62bf7c7ef4da707aa0e908f8e3caf3be5ca1

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISBEW64.exe

MD5 aa9eb5317eac5401d5eb0b96a19af711
SHA1 87e0d072d1212f6f696a2750162fd1d57394652f
SHA256 1360a6ec6d8a575780b7740e2dd56fcfcf2db997dc1c908f7e7e381ee4f12a1b
SHA512 f17f84344a1ffd094bdb5ac52698c1abfa8ad9013e64915c2edba301504bc8cf765a82d57897655163a86fcd2939d97068a321849cf98937d4a1a305656355e8

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\ISRT.dll

MD5 b4171921e8339f2c5712b3c58cd86965
SHA1 146ac8f91f65780269b9aa12ff90079159578275
SHA256 d72c678d0265d44898f6f85ae0a65ad5429a10564ee5070de93a75511f438f2a
SHA512 8d009c6863e782ceeeabeb8f1a39cf594e916fb94eac4a215e4cf9e82174170fa5eead12312801f3e787c7e7ad9badd20f5a03c7302cc63a2d33dbd0d77f4536

memory/4164-47-0x0000000010000000-0x0000000010114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\_isuser_0x0409.dll

MD5 1f65b77db1bd5878ac251490cf44247e
SHA1 38b9aa626a23734d53040a1be9ae825f25a683dd
SHA256 4d67108f2e60c3643df93960754e5ff1ec3591a50bf8c48333cc6d2e42b57b1a
SHA512 3ad4fd20cc7ad7bdee49d32da968cc0525c59bf48e5b9eec9871695f3a508c21fe25f02fcc9bd3c9c82bf872750b9fd5722bc1022ae140b6ad9e44c56ba9c624

C:\Users\Admin\AppData\Local\Temp\{8D4D3401-10AA-45E3-BCFD-592177748515}\_isres_0x0409.dll

MD5 2da96148e97e0633ab934ce7b45e2587
SHA1 7e9ce033c16c5dbc28b2dbf424eae02fd49c2085
SHA256 613ba147f5877d6f78ec722e29103e6d71be9c04d0659910811ad7caeaa12b8f
SHA512 2d01e83761bd64abda598da7b5e67d0b5b9cb3dad4c0b01f347df69d2a9fa85687de4587f7cbf46365ca475456c43a647ab10920196be301c1820635fb43ddb4

memory/4164-52-0x0000000003550000-0x0000000003717000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SigmaXL_UI_log.log

MD5 13bc9437003013c3e0f630ee251c93e5
SHA1 fcc7da6babbceeb6313cf1d6f8327ed849003a87
SHA256 724ce5dc489bb932624dab871e3f2170443fc538357dfd3f4a877878777f3152
SHA512 557e0ac448e6772c28d7164c6416f28d63f61193107a179a58878fcfe0e036594d7ec7ff2da1452a6528430149e376d6d15428dfc84bde66ebe34352532a101f

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\_ISMSIDEL.INI

MD5 2bc47f89b07c51cea2f8715facdd3183
SHA1 994fecd6583d326787e7c79b01e7f18c469379cc
SHA256 82bb93d82279334b481a80678557f6b7123f070a562de44b0377e96d4e3d313e
SHA512 6c73a6e396defdb3a1bf08f8ee606d4485510cd8a25db98dd309ca60f855c493fe5f7dd52e439c7f4d67333b866014c7c8a2771771072442eb4230d2a81da83d

C:\Users\Admin\AppData\Local\Temp\~5939.tmp

MD5 be4db0f272173a4b7f4e3687603d8312
SHA1 5edd4e61fee61b17f8b85d3f0d48ed9c86a51f87
SHA256 d368b7e705a91785fcbbce83668864cb6b622b33e8846968c1882ba345af4b00
SHA512 e968370ce7e3cc0e8fbeba047bfb8cc0cbb09986397bf3183063a31067fbe805be6646f15568f4e90e7082c69c06e34f26903b57b1a69af83d6de92ac35b8d2b

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\0x0409.ini

MD5 a108f0030a2cda00405281014f897241
SHA1 d112325fa45664272b08ef5e8ff8c85382ebb991
SHA256 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512 d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

memory/4164-160-0x0000000010000000-0x0000000010114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iss6158.tmp

MD5 9b8d88a2ffea9e3df1d7d40515f60345
SHA1 4980beab01dfe210fa9244feaf81f5f00363aeed
SHA256 2fa5e02fdbe2fe880826cf2a02a85216a2e830254cff268249d6b1d7d47e293f
SHA512 4ce9ebd3508c53d4da138ae33a88e0ec971b63bf945ca8f0c9a5e25e928eb453082d887eb611c87380c83d4556a57c504049ae058314435491303b554f1c8042

C:\Users\Admin\AppData\Local\Temp\MSI861e2.LOG

MD5 3ae2c04c3a0d7f85f5d55934cc611488
SHA1 f67e16729149add6d4f6c4d85650028be8190204
SHA256 c7aef4f973ecaf57398abee9efe6f7892108173d39a1afd3363a9990f353e7e4
SHA512 0e0c26aacca97c6996f736f3f285ba1790b34db173475478c804c26c5edc754e55d3b8764836b0cc075dd92e398a2342885d13927a0ebaf52678ec91e08c2419

C:\Windows\Installer\MSI63E5.tmp

MD5 caab36876c8757cb23ceb224c583903a
SHA1 41872dced001b6898309a5dc005e162c9d450d7c
SHA256 fb6fd34e42619110bdd4e7410e6cf5792d48da3579d451a4ca8853cdaa681ff4
SHA512 ac3ae007dd3ae3fc29fabb0cb694e174339f78ce7e11b0ab624ae9316adcd6d3f86a701c045074c3eb1a7a34060528cce4cb86a457c11a39f7338b0c0f25483b

C:\Users\Admin\AppData\Local\Temp\{C2606CF7-E025-4E01-8DF3-D5FEA473F5ED}\IsConfig.ini

MD5 8f18269fca810207a49201f5c1abc72a
SHA1 eae6d0362f6e7ed8a8fbf185a7ac5b5206d0865a
SHA256 c52b1d47d18964f13433896ecd67e1f338eb19403d4a51cf411cd9f6317e90e7
SHA512 d18d937ce37436070cce6a1a2fa6ae40233b79785a3517b46b46f8bc94c4b2def9669ac8ecc4cf6033bef98d817e305637ddd7d2c3a826f36c87d3b1b5b4360c

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\setup.inx

MD5 c306ef16835f01966b0b7b0b79eb55bb
SHA1 4e97cc8e7bdbde7be3134c77a22730c2f672c3c9
SHA256 d6a38c864139e7a63156590eb61357c2b9caf0789e22efea607fbbe0330829de
SHA512 6f9580aceb9be8d7a2129be0c946f6132cedc12ed0b8ca778ff512bc413319fa6ea52ac3cddef0082621051ef4e3c2cfdcefc8657a94ec97fded7931377b9051

memory/2772-243-0x0000000010000000-0x0000000010114000-memory.dmp

memory/2772-247-0x0000000003900000-0x0000000003AC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{BD44D6A4-F433-4E79-B376-4879D40FB033}\String1033.txt

MD5 040fdf59432fe943da295e0fd115c180
SHA1 efb354981fd6c82347556ecd329c20bdba51c6d6
SHA256 9fd5f1ef1099c9d1a3843d8cb51b6ecb44762da7c933d27eb6f79ac50b788609
SHA512 db4dc507295f2d1be731471f0f3e0e047bcd64804b2ebf23ee0a91ab259bee566d336f77f420908ca69a18136a57ccd727259c1bb21cec9f3a86c9a6da772904

C:\Config.Msi\e586242.rbs

MD5 cfdb4459ce4f4b2db1241814cb09442f
SHA1 a8ea318087443499c43c52077eb4436ef799d927
SHA256 99dcf8c85ffe9e8d1e227621ba9f8c2a1879638076785f0cc027b433377f23db
SHA512 7f0b78d6ad7a0e51a91a5855bea8ebbccd0711d7f214d3d23347d5884aba627635ca0b86ae08b4006eb122a69317b94430b6be1abc8dd0624f77dc7107b320d5

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\_ISMSIDEL.INI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\{DB3B100A-F685-46D9-B934-6013A2A4E9FE}\_ISMSIDEL.INI

MD5 c10f0c1c213324eb2d479d8617a58197
SHA1 5d830ffc7950e47de2a7f9efafca8425c37a382c
SHA256 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be
SHA512 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702

memory/4164-584-0x0000000010000000-0x0000000010114000-memory.dmp