Analysis
-
max time kernel
653s -
max time network
652s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
RiskPlatform.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
RiskPlatform/Palisade_Course.lic
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
RiskPlatform/RiskPlatform-cust-Setup (1).exe
Resource
win10v2004-20240802-en
General
-
Target
RiskPlatform.zip
-
Size
270.6MB
-
MD5
4338b4e47dfd10a794d62b8f0eaf5501
-
SHA1
60ed574567fff35defb8bcd71b004565a9f69b06
-
SHA256
29056c71459cc32452ab76136f8c79f206d8f3144ef8c6b83a4db8f531b90625
-
SHA512
f3ee76ce5ea6335b4d9616af31de99d6d65487be641aa5517493aa2b346066a5798ea185539e1c59b8ba7b98b4d3474d37d705d49f2bb37fba19772da267e508
-
SSDEEP
6291456:tRKbfZmOtdvMKEmOBajygGl2lSTX6im1jU0iKp7XWP9:tQ7v53EJBajyg2TXQVU0hGF
Malware Config
Extracted
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/4428-1388-0x0000000004040000-0x0000000004094000-memory.dmp family_strela -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Palisade.PrecisionTree.Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation PtreeOutOfProcessServer.exe Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation Palisade.Risk.Launcher.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
pid Process 728 RiskPlatform-cust-Setup (1).exe 1964 _isBBDF.exe 1860 _isBBDF.exe 408 _isBBDF.exe 2220 _isBBDF.exe 1320 _isBBDF.exe 1976 _isBBDF.exe 2120 _isBBDF.exe 4396 _isBBDF.exe 3168 _isBBDF.exe 2792 _isBBDF.exe 3036 _isC343.exe 3332 _isC343.exe 388 _isC343.exe 5036 _isC343.exe 864 _isC343.exe 2112 _isC343.exe 60 _isC343.exe 2036 _isC343.exe 1212 _isC343.exe 3676 _isC343.exe 2236 _isC6ED.exe 2476 _isC6ED.exe 748 _isC6ED.exe 4552 _isC6ED.exe 1928 _isC6ED.exe 5068 _isC6ED.exe 4556 _isC6ED.exe 4296 _isC6ED.exe 4588 _isC6ED.exe 4828 _isC6ED.exe 2716 _isCB15.exe 3212 _isCB15.exe 3188 _isCB15.exe 5116 _isCB15.exe 2268 _isCB15.exe 552 _isCB15.exe 4968 _isCB15.exe 1184 _isCB15.exe 5060 _isCB15.exe 2264 _isCB15.exe 4468 _isCE71.exe 4840 _isCE71.exe 1048 _isCE71.exe 1916 _isCE71.exe 3508 _isCE71.exe 2148 _isCE71.exe 2676 _isCE71.exe 4224 _isCE71.exe 664 _isCE71.exe 1568 _isCE71.exe 2520 _isD0B4.exe 972 _isD0B4.exe 1968 _isD0B4.exe 2304 _isD0B4.exe 1384 _isD0B4.exe 3764 _isD0B4.exe 4132 _isD0B4.exe 4180 _isD0B4.exe 2884 _isD0B4.exe 2468 _isD0B4.exe 2248 _isD2E8.exe 1260 _isD2E8.exe 1164 _isD2E8.exe -
Loads dropped DLL 64 IoCs
pid Process 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1452 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 1856 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 4428 MsiExec.exe 3684 RegAsm.exe 3684 RegAsm.exe 3684 RegAsm.exe 3684 RegAsm.exe 3684 RegAsm.exe 3684 RegAsm.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 69 1452 MsiExec.exe 78 4428 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 14 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File created C:\Windows\SysWOW64\RICHTX32.OCX msiexec.exe File created C:\Windows\SysWOW64\MSCOMCTL.OCX msiexec.exe File created C:\Windows\SysWOW64\vbalProgBar6.ocx msiexec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\SysWOW64\Codejock.Controls.Unicode.v17.1.0.ocx msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Palisade\Evolver8\Examples\English\Evolver Quick Start.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Examples\English\Category Prediction\Spam Classification.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\Examples\Spanish\Introducción 5 - EstadÃsticos y gráficos.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Bar Chart - All Variables in Single Chart.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\System\Palisade.Evolver.Testing8.tlb msiexec.exe File created C:\Program Files (x86)\Palisade\System\Palisade.EvolverVB6.Main8.dll msiexec.exe File created C:\Program Files (x86)\Palisade\Evolver8\Examples\English\Scheduling Classes.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\Evolver8\Examples\Spanish\PanaderÃa - Versión práctica del tutorial.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\Evolver8\Examples\Spanish\Variación del vendedor viajante.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Scatterplot - Color by Category.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\Selección del tamaño de la muestra.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\StatTools Quick Start.pdf msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\StatToolsOL.dll msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.XtraGantt.v21.2.dll msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Examples\Spanish\Category Prediction\Investigación de crédito.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Examples\Spanish\NeuralTools Quick Start.pdf msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\XDK\Examples\ExampleList_EN.xml msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.XtraGrid.v21.2.dll msiexec.exe File created C:\Program Files (x86)\Palisade\System\PalExcelReporting8.dll msiexec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\PtreeExcel12_EN.xlam msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\Examples\English\Getting Started 4 - Simulation.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Hypothesis Test for Proportion - One Sample.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Documentation\English\NeuralTools8_EN.chm msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Examples\English\Category Prediction\Auto Loans 3 - Separate Data Sets.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\XDK\Examples\PrecisionTree XDK - Creating Tree 4.xlsm msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\Previsión de una serie de tiempo.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\TopRank8\Examples\Spanish\Modelo de beneficio 3 - Función RiskVary.xlsx msiexec.exe File opened for modification C:\Program Files (x86)\Palisade\System\Palisade.DT.Licensing8.tlb RegAsm.exe File created C:\Program Files (x86)\Palisade\Evolver8\Examples\English\Budget Allocation.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\Evolver8\XDK\Examples\Evolver XDK Example File List.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\XDK\RiskOL8.chm msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\Análisis de componente principal - Puntuaciones de examen.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\Datos agrupados frente a desagrupados.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\System\Palisade.StatTools.Main8.dll msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsCombination.xla msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsHypothesisTest.xla msiexec.exe File opened for modification C:\Program Files (x86)\Palisade\System\Palisade.DT.Core8.tlb RegAsm.exe File created C:\Program Files (x86)\Palisade\RISK8\Examples\English\Getting Started 2 - Inputs and Outputs.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\Spanish\Prueba de hipótesis de la media - Una muestra.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.Charts.v21.2.Core.dll msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.Printing.v21.2.Core.dll msiexec.exe File created C:\Program Files (x86)\Palisade\TopRank8\Resources\English\TopRank8_XLA_EN.dll msiexec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\Examples\English\Logic Nodes.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsControlChartXR.xla msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsPrincipalComponentAnalysis.xla msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.PivotGrid.v21.2.Core.dll msiexec.exe File created C:\Program Files (x86)\Palisade\TopRank8\TopRankExcel12_EN.xlam msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\PalDSManager8.dll msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\Examples\English\Distribution Fitting.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\System\PalGraph8Server.exe.config msiexec.exe File created C:\Program Files (x86)\Palisade\TopRank8\Examples\English\Profit Model 5 - RiskVaryTable Function.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Lilliefors Test for Normality.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Sign Test.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsOneVarSummary.xla msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Analyses\Core\StatToolsQQNormal.xla msiexec.exe File created C:\Program Files (x86)\Palisade\System\DevExpress.DataAccess.v21.2.dll msiexec.exe File created C:\Program Files (x86)\Palisade\NeuralTools8\Examples\English\Numeric Prediction\Abalone Age Prediction.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\Resources\Spanish\PtreeOL8_ES.dll msiexec.exe File created C:\Program Files (x86)\Palisade\RISK8\Examples\English\SRA - Advanced Modeling.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\StatTools8\Examples\English\Histogram.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\System\lmutil.exe msiexec.exe File opened for modification C:\Program Files (x86)\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe MsiExec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\Examples\English\Pricing an American Put Option.xlsx msiexec.exe File created C:\Program Files (x86)\Palisade\PrecisionTree8\XDK\Examples\PrecisionTree XDK - Creating Tree 1.xlsm msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut17_3FF4B13B76FF4C28A19E9335E1368BA2.exe msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut5_BA5CC4F5092A470AB88AE821D5538FB5.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI7C18.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEAUT32_f2.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_Vba_VbRuntime_f0.1E64E430_36E0_11D2_A794_0060089A724B msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut11_6D7E05708327485296D35CD8D35852D1.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut12_7F26251EC52145C18BF10FFAB708FF59.exe msiexec.exe File opened for modification C:\Windows\Installer\e5b6b3b.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI7B99.tmp msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut1_4601731AEAD8496F9B1CE55654AA235B.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID5D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE6B4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C34.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_Controls_COMCATDLL_f0.3207D1B0_80E5_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut9_430835B1813B4E60A28813C4F6A02D76.exe msiexec.exe File created C:\Windows\Installer\SourceHash{EBFF011D-73DC-4534-8D3B-A91F62BE1895} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\MSIDA2D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1B1.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut13_4D30BE7E9E7B4305B730B2070464CBFC.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\1033.MST msiexec.exe File opened for modification C:\Windows\Installer\MSI7917.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI82A2.tmp msiexec.exe File created C:\Windows\assembly\tmp\NK8B83IJ\OptQuestNET.dll msiexec.exe File opened for modification C:\Windows\Installer\MSIE387.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEPRO32_f0.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_OLEAUT32_f3.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File opened for modification C:\Windows\Installer\MSID5A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut11_6D7E05708327485296D35CD8D35852D1.exe msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut3_8867F9E1D69043A597F317BFEDD11736.exe msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI7657.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\assembly\GACLock.dat msiexec.exe File created C:\Windows\assembly\tmp\9H2I6Q08\OptQuestNET.dll msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSICCDC.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\1033.MST msiexec.exe File opened for modification C:\Windows\Installer\MSIE8A9.tmp msiexec.exe File created C:\Windows\Installer\e5b6b3d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI70C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut17_3FF4B13B76FF4C28A19E9335E1368BA2.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut8_50EBF8B2D24746AC916493B0C4660974.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI9E59.tmp msiexec.exe File created C:\Windows\Installer\e5b6b3a.msi msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut14_5D630CF37D614D94ADE1BBA77761DCBB.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut2_428EFBB5D1654B158655133664E18341.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut3_8867F9E1D69043A597F317BFEDD11736.exe msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut4_390EDB1265BF4BA899ADD607C2F99433.exe msiexec.exe File opened for modification C:\Windows\Installer\e5b6b3a.msi msiexec.exe File created C:\Windows\Installer\e5b6b3b.mst msiexec.exe File opened for modification C:\Windows\Installer\MSI7BB9.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\D110FFBECD374354D8B39AF126EB8159\8.6.1021\Global_System_STDOLE_f1.8C0C59A0_7DC8_11D2_B95D_006097C4DE24 msiexec.exe File created C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut13_4D30BE7E9E7B4305B730B2070464CBFC.exe msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut2_428EFBB5D1654B158655133664E18341.exe msiexec.exe File opened for modification C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut9_430835B1813B4E60A28813C4F6A02D76.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5920 4556 WerFault.exe 436 -
System Location Discovery: System Language Discovery 1 TTPs 58 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NeuralToolsOutOfProcessServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalFlexServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalNTSvr8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalFlexServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalNTSvr8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NeuralToolsOutOfProcessServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PtreeOutOfProcessServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PtreeOutOfProcessServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palisade.DT.SoftwareUpdater8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palisade.Risk.Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalGraph8Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvolverOutOfProcessServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palisade.PrecisionTree.Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvolverWatcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TopRankOutOfProcessServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalGraph8Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StatToolsOutOfProcessServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TopRankProgress.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TopRankOutOfProcessServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palisade.Risk.ProgressProcess8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvolverWatcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palisade.DT.SoftwareUpdater8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TopRankProgress.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FNPLicensingService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PalFlexServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EvolverOutOfProcessServer8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628} MsiExec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5BAADB36-D13B-4708-B8E6-7FACF1BF6783} msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5BAADB36-D13B-4708-B8E6-7FACF1BF6783}\Compatibility Flags = "1024" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024" MsiExec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024" MsiExec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628} MsiExec.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" RegAsm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2C38F1E3-1FD8-3DED-B853-7A2E4A7B15D5}\8.0.0.0\Class = "Palisade.Risk.XDK.RiskFixedParameter" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2FC85B27-BD1B-4BE1-AD6A-3745BDD07317}\TypeLib\Version = "3.0" PalNTSvr8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D96F0B1C-91D5-4ED4-AA34-677D27316792}\ = "OutputOfFormDViewOptions" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{597BC838-EFFF-42AF-9A1C-BCF0F8C8A117}\TypeLib\Version = "1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5617023B-3947-4657-8F74-96531D773F71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" PtreeOutOfProcessServer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BA495BDA-4CDF-4488-B136-FE2AD715FB49}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TopRankReports8_ES.ResourceServer\Clsid MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41C6E544-22CA-45FC-A1C9-40AC806D8103}\VERSION MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CE06588-75E0-43F8-8E72-D63E2D3CCF26}\ = "_PGrGraph" PalGraph8Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{79B29EE6-9516-424C-BC4E-6E13EA8CBE24}\1.0\0\win32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{786CD3E1-DD4A-40EA-A3E6-5B3E35557385}\ProgID\ = "Codejock.TaskDialog.17.1.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17FD16F1-593A-38C1-B9B6-FFEE8A581854}\8.0.0.0\CodeBase = "file:///C:/Program Files (x86)/Palisade/System/Palisade.DT.Graphing8.DLL" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Palisade.DecisionTools.NeuralNets.TagVariable RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6A515B66-87E1-4516-9969-73D3958D6052}\TypeLib\Version = "2.0" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\STControls8.STControlsVarSelectorField\ = "STControls8.STControlsVarSelectorField" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8331BEC8-61A2-4F25-84CA-F4AEE4D03382} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61212568-86E0-409D-AA40-1E2DC280FB14}\ = "The root PrecisionTree application object." MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{39050EC6-E1DB-49EB-8005-3A7EC9F6AB3E}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{21D37E05-7FEE-42F7-A6BA-0D17ED3D0996}\Version\ = "17.1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AB55A104-E166-4A47-8F51-95537C259ECC}\InprocServer32\ThreadingModel = "Apartment" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CCCCCD4F-A681-3365-943E-1D4136FB8CFE}\8.0.0.0\RuntimeVersion = "v4.0.30319" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C99A21FC-65A7-414C-89E2-CF9EF2CC3BA7}\ProxyStubClsid32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{651CAD9E-B349-4969-B4C4-BA4E08FD0013}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C7FA6EBC-427B-30F3-B17D-753423427960}\8.0.0.0\Assembly = "Palisade.DT.Graphing8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=048511af3aa46d20" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{472FD7B1-DC4F-4298-8831-1E5DDA08BC16}\TypeLib\ = "{5BD33EB4-E022-42A9-BF20-9627579CCDA6}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AD7220E4-7956-3A7A-BA4C-A286F23AEFC9} RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9E49D977-9E0F-3420-A862-AE7ADB36D856}\TypeLib RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9211307-7A3E-4E3F-9775-8CD21539844A} PalGraph8Server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{785A871B-6FED-4681-9A3D-172E68E9F336}\Programmable MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A56F6C0F-BCC7-48A0-B69E-6DD726B9B309}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2ABE503-239B-3547-8C45-669C443B38B1}\8.0.0.0\Assembly = "Palisade.Risk.XDK8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=048511af3aa46d20" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4DAB3F0-01E7-42D7-AF28-3C10FED69A79} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75DE3FEC-F6BB-4107-AF87-4FF9C023388A}\TypeLib\ = "{DB0284B9-2A8F-4287-AB92-77506DBD8E5C}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5AFE902D-4C63-3B48-AC8D-8F1B01131E05}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{3DF066C1-04FB-4D7D-A1D9-014BB1410DF8}\TypeLib msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0C065DBA-D285-30EF-B12E-41795D108EC0}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{949F1638-3F3E-4884-A4AB-09D54FAD708A}\TypeLib\Version = "11.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ActiveReportsExcelExport.DDSheets\CurVer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{556C5FBB-108D-420D-97B2-E7A2F6624D3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0A6F8C78-2481-41B0-AA92-7C36141F7245}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5539B29F-DC8F-34A2-B568-85CE6F4D3E35}\TypeLib\ = "{D3672192-D2C6-4AAE-B2E9-7EF76B6A67B5}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8B0A0033-2C65-39B5-B2B0-F193A8787DF6}\8.0.0.0\Assembly = "Palisade.Evolver.XDK8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=048511af3aa46d20" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5CB778B0-7047-402F-9DEA-0234073F756B}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D8028069-6176-414B-A154-4002F9D72CD0}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8CC04F9B-E70E-4F11-96B0-7A7B65B177DD}\1.0\0\win32\ = "C:\\Program Files (x86)\\Palisade\\TopRank8\\Resources\\English\\TopRankProgress8_EN.dll" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0383B7D3-A2ED-489C-983A-A54B4C40B99F}\TypeLib\Version = "11.1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7859A19D-683D-4AAD-B407-0A48329BA022}\ = "_StatTools_RandomSample" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{61212568-86E0-409D-AA40-1E2DC280FB14} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F50C9F-4711-4856-8337-2FF68BAD1C6A}\TypeLib\ = "{A8E5842E-102B-4289-9D57-3B3F5B5E15D3}" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{40786594-BD61-3DB5-A737-235E0CC4E645}\8.0.0.0\RuntimeVersion = "v4.0.30319" RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DBC4951F-74BD-3A69-9E2B-2D8557AD4526}\ProxyStubClsid32 RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B121220-2B80-4CAD-853F-78B4F451CBCC}\ = "EvolverOutOfProcessServer8.ObjCreator" EvolverOutOfProcessServer8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DCAAC158-8D07-4827-8711-1EA0FD8EE332}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DDF7BFE-C546-445C-A48D-4A366963D5C8} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{39AFE206-3607-39F0-9BF1-19F237A81527}\ProgId\ = "Palisade.Risk.XDK.RiskModelDefinitionInput" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A77D2771-16EA-3F22-890C-F011E3C39E85}\8.0.0.0\Assembly = "Palisade.DT.Graphing8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=048511af3aa46d20" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83DEF925-0A6A-3E35-8F98-3F8FFBE79570}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TopRankModel8.Server\ = "TopRankModel8.Server" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F7BB263-1155-4F32-899C-F7FED1989358}\ProxyStubClsid MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8BD1F86-C813-3051-B9AF-4250AB7C6F66}\8.0.0.0\RuntimeVersion = "v4.0.30319" RegAsm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C99A21FC-65A7-414C-89E2-CF9EF2CC3BA7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3206F137-1477-3D65-A5A7-D334C0F7057D}\TypeLib MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EADAFAC-D62D-33EA-A5DF-E8A058604423}\ProxyStubClsid32 RegAsm.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 2916 EXCEL.EXE 2316 EXCEL.EXE 3732 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3792 msiexec.exe 3792 msiexec.exe 4428 MsiExec.exe 4428 MsiExec.exe 2792 Palisade.PrecisionTree.Launcher.exe 624 Palisade.Risk.Launcher.exe 2520 msedge.exe 2520 msedge.exe 4248 msedge.exe 4248 msedge.exe 2372 identity_helper.exe 2372 identity_helper.exe 4248 msedge.exe 4248 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2316 EXCEL.EXE 3732 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 208 7zG.exe Token: 35 208 7zG.exe Token: SeSecurityPrivilege 208 7zG.exe Token: SeSecurityPrivilege 208 7zG.exe Token: SeRestorePrivilege 2468 7zG.exe Token: 35 2468 7zG.exe Token: SeSecurityPrivilege 2468 7zG.exe Token: SeSecurityPrivilege 2468 7zG.exe Token: SeShutdownPrivilege 856 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 856 MSIEXEC.EXE Token: SeSecurityPrivilege 3792 msiexec.exe Token: SeCreateTokenPrivilege 856 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 856 MSIEXEC.EXE Token: SeLockMemoryPrivilege 856 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 856 MSIEXEC.EXE Token: SeMachineAccountPrivilege 856 MSIEXEC.EXE Token: SeTcbPrivilege 856 MSIEXEC.EXE Token: SeSecurityPrivilege 856 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 856 MSIEXEC.EXE Token: SeLoadDriverPrivilege 856 MSIEXEC.EXE Token: SeSystemProfilePrivilege 856 MSIEXEC.EXE Token: SeSystemtimePrivilege 856 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 856 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 856 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 856 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 856 MSIEXEC.EXE Token: SeBackupPrivilege 856 MSIEXEC.EXE Token: SeRestorePrivilege 856 MSIEXEC.EXE Token: SeShutdownPrivilege 856 MSIEXEC.EXE Token: SeDebugPrivilege 856 MSIEXEC.EXE Token: SeAuditPrivilege 856 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 856 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 856 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 856 MSIEXEC.EXE Token: SeUndockPrivilege 856 MSIEXEC.EXE Token: SeSyncAgentPrivilege 856 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 856 MSIEXEC.EXE Token: SeManageVolumePrivilege 856 MSIEXEC.EXE Token: SeImpersonatePrivilege 856 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 856 MSIEXEC.EXE Token: SeCreateTokenPrivilege 856 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 856 MSIEXEC.EXE Token: SeLockMemoryPrivilege 856 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 856 MSIEXEC.EXE Token: SeMachineAccountPrivilege 856 MSIEXEC.EXE Token: SeTcbPrivilege 856 MSIEXEC.EXE Token: SeSecurityPrivilege 856 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 856 MSIEXEC.EXE Token: SeLoadDriverPrivilege 856 MSIEXEC.EXE Token: SeSystemProfilePrivilege 856 MSIEXEC.EXE Token: SeSystemtimePrivilege 856 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 856 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 856 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 856 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 856 MSIEXEC.EXE Token: SeBackupPrivilege 856 MSIEXEC.EXE Token: SeRestorePrivilege 856 MSIEXEC.EXE Token: SeShutdownPrivilege 856 MSIEXEC.EXE Token: SeDebugPrivilege 856 MSIEXEC.EXE Token: SeAuditPrivilege 856 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 856 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 856 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 856 MSIEXEC.EXE Token: SeUndockPrivilege 856 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 208 7zG.exe 2468 7zG.exe 856 MSIEXEC.EXE 856 MSIEXEC.EXE 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 3732 explorer.exe 3732 explorer.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe 4248 msedge.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1724 RiskPlatform-cust-Setup (1).exe 728 RiskPlatform-cust-Setup (1).exe 4320 RiskPlatform-cust-Setup (1).exe 2516 RiskPlatform-cust-Setup (1).exe 2792 Palisade.PrecisionTree.Launcher.exe 2792 Palisade.PrecisionTree.Launcher.exe 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 4380 PtreeOutOfProcessServer.exe 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 4380 PtreeOutOfProcessServer.exe 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 3080 Palisade.DT.SoftwareUpdater8.exe 3080 Palisade.DT.SoftwareUpdater8.exe 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 2916 EXCEL.EXE 624 Palisade.Risk.Launcher.exe 624 Palisade.Risk.Launcher.exe 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE 2316 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1724 wrote to memory of 728 1724 RiskPlatform-cust-Setup (1).exe 117 PID 1724 wrote to memory of 728 1724 RiskPlatform-cust-Setup (1).exe 117 PID 1724 wrote to memory of 728 1724 RiskPlatform-cust-Setup (1).exe 117 PID 728 wrote to memory of 856 728 RiskPlatform-cust-Setup (1).exe 118 PID 728 wrote to memory of 856 728 RiskPlatform-cust-Setup (1).exe 118 PID 728 wrote to memory of 856 728 RiskPlatform-cust-Setup (1).exe 118 PID 3792 wrote to memory of 1452 3792 msiexec.exe 120 PID 3792 wrote to memory of 1452 3792 msiexec.exe 120 PID 3792 wrote to memory of 1452 3792 msiexec.exe 120 PID 1452 wrote to memory of 1964 1452 MsiExec.exe 121 PID 1452 wrote to memory of 1964 1452 MsiExec.exe 121 PID 1452 wrote to memory of 1860 1452 MsiExec.exe 122 PID 1452 wrote to memory of 1860 1452 MsiExec.exe 122 PID 1452 wrote to memory of 408 1452 MsiExec.exe 123 PID 1452 wrote to memory of 408 1452 MsiExec.exe 123 PID 1452 wrote to memory of 2220 1452 MsiExec.exe 124 PID 1452 wrote to memory of 2220 1452 MsiExec.exe 124 PID 1452 wrote to memory of 1320 1452 MsiExec.exe 125 PID 1452 wrote to memory of 1320 1452 MsiExec.exe 125 PID 1452 wrote to memory of 1976 1452 MsiExec.exe 126 PID 1452 wrote to memory of 1976 1452 MsiExec.exe 126 PID 1452 wrote to memory of 2120 1452 MsiExec.exe 127 PID 1452 wrote to memory of 2120 1452 MsiExec.exe 127 PID 1452 wrote to memory of 4396 1452 MsiExec.exe 128 PID 1452 wrote to memory of 4396 1452 MsiExec.exe 128 PID 1452 wrote to memory of 3168 1452 MsiExec.exe 129 PID 1452 wrote to memory of 3168 1452 MsiExec.exe 129 PID 1452 wrote to memory of 2792 1452 MsiExec.exe 130 PID 1452 wrote to memory of 2792 1452 MsiExec.exe 130 PID 1452 wrote to memory of 3036 1452 MsiExec.exe 132 PID 1452 wrote to memory of 3036 1452 MsiExec.exe 132 PID 1452 wrote to memory of 3332 1452 MsiExec.exe 133 PID 1452 wrote to memory of 3332 1452 MsiExec.exe 133 PID 1452 wrote to memory of 388 1452 MsiExec.exe 134 PID 1452 wrote to memory of 388 1452 MsiExec.exe 134 PID 1452 wrote to memory of 5036 1452 MsiExec.exe 135 PID 1452 wrote to memory of 5036 1452 MsiExec.exe 135 PID 1452 wrote to memory of 864 1452 MsiExec.exe 136 PID 1452 wrote to memory of 864 1452 MsiExec.exe 136 PID 1452 wrote to memory of 2112 1452 MsiExec.exe 137 PID 1452 wrote to memory of 2112 1452 MsiExec.exe 137 PID 1452 wrote to memory of 60 1452 MsiExec.exe 138 PID 1452 wrote to memory of 60 1452 MsiExec.exe 138 PID 1452 wrote to memory of 2036 1452 MsiExec.exe 139 PID 1452 wrote to memory of 2036 1452 MsiExec.exe 139 PID 1452 wrote to memory of 1212 1452 MsiExec.exe 140 PID 1452 wrote to memory of 1212 1452 MsiExec.exe 140 PID 1452 wrote to memory of 3676 1452 MsiExec.exe 141 PID 1452 wrote to memory of 3676 1452 MsiExec.exe 141 PID 1452 wrote to memory of 2236 1452 MsiExec.exe 142 PID 1452 wrote to memory of 2236 1452 MsiExec.exe 142 PID 1452 wrote to memory of 2476 1452 MsiExec.exe 143 PID 1452 wrote to memory of 2476 1452 MsiExec.exe 143 PID 1452 wrote to memory of 748 1452 MsiExec.exe 144 PID 1452 wrote to memory of 748 1452 MsiExec.exe 144 PID 1452 wrote to memory of 4552 1452 MsiExec.exe 145 PID 1452 wrote to memory of 4552 1452 MsiExec.exe 145 PID 1452 wrote to memory of 1928 1452 MsiExec.exe 146 PID 1452 wrote to memory of 1928 1452 MsiExec.exe 146 PID 1452 wrote to memory of 5068 1452 MsiExec.exe 147 PID 1452 wrote to memory of 5068 1452 MsiExec.exe 147 PID 1452 wrote to memory of 4556 1452 MsiExec.exe 148 PID 1452 wrote to memory of 4556 1452 MsiExec.exe 148 PID 1452 wrote to memory of 4296 1452 MsiExec.exe 149 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RiskPlatform.zip1⤵PID:3572
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4736
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\RiskPlatform\" -spe -an -ai#7zMap2989:104:7zEvent209151⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:208
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap30593:104:7zEvent115301⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2468
-
C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\RiskPlatform-cust-Setup (1).exe" /q"C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\RiskPlatform-Setup.msi" /l*v "C:\Users\Admin\AppData\Local\Temp\Risk Platform Installer.log" TRANSFORMS="C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST" SETUPEXEDIR="C:\Users\Admin\Desktop\RiskPlatform" SETUPEXENAME="RiskPlatform-cust-Setup (1).exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}"3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:856
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}"3⤵
- System Location Discovery: System Language Discovery
PID:3264
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F7177D0386FC3EF5F310BF6BC79D8FF6 C2⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EC02A368-B47F-400C-B3FE-71BD83834194}3⤵
- Executes dropped EXE
PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6734F2B-EC2D-4503-9B05-95375F2D0B75}3⤵
- Executes dropped EXE
PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBC056ED-183C-43A9-B58A-62B52E2BFB32}3⤵
- Executes dropped EXE
PID:408
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{856FF686-12AF-4B79-BE37-2A4B266CC3AE}3⤵
- Executes dropped EXE
PID:2220
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BC6A626-3DD0-47FF-A05D-66B8BC51A448}3⤵
- Executes dropped EXE
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{840F0119-DCC2-40C5-95AE-65A16221C794}3⤵
- Executes dropped EXE
PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{867AA235-1F9F-40AF-A363-098873B5299D}3⤵
- Executes dropped EXE
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D88D827F-2E26-487D-BA6A-51E930C5CB14}3⤵
- Executes dropped EXE
PID:4396
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{23A0AEA2-CB21-49E9-BD8F-0B0C0CE8BF1D}3⤵
- Executes dropped EXE
PID:3168
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isBBDF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82BA8108-3ED5-403F-9C14-238653521DE5}3⤵
- Executes dropped EXE
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{80338103-F543-4E01-B71A-E04F45F93DF2}3⤵
- Executes dropped EXE
PID:3036
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C4D9D2A-42E4-4FEB-843C-8EC89800ADD9}3⤵
- Executes dropped EXE
PID:3332
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99430179-CCB8-46C4-BB27-ECC636E92468}3⤵
- Executes dropped EXE
PID:388
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1689AD97-C766-470B-9974-91A241776F68}3⤵
- Executes dropped EXE
PID:5036
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F2BA4C7-F738-42C1-AC47-09603D3B571B}3⤵
- Executes dropped EXE
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D8DFC44-8CBB-401B-B343-59838819C866}3⤵
- Executes dropped EXE
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{40E1F8B4-3DF1-448F-9E9B-AB5869A53AC5}3⤵
- Executes dropped EXE
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{569B3F84-8120-4DD2-9436-80DD1DF2B6EA}3⤵
- Executes dropped EXE
PID:2036
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{895292D7-5EF9-4A9E-8896-E7ADE03DE681}3⤵
- Executes dropped EXE
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC343.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C0E6FEC-4081-4B99-8052-1C9EB09FB4F2}3⤵
- Executes dropped EXE
PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B07D7D8-514D-403D-B193-95514399564D}3⤵
- Executes dropped EXE
PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6F5D391-399B-4A99-AEFC-05AFA6622F90}3⤵
- Executes dropped EXE
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85347A00-B566-4F2D-BAF5-3E6AA133FB5D}3⤵
- Executes dropped EXE
PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{633E17AF-39BA-4B80-865B-6A58A82CE1BD}3⤵
- Executes dropped EXE
PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE25698A-A8AB-4C51-A21F-E998889C8913}3⤵
- Executes dropped EXE
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{028F4B73-C94E-4B83-AB51-A48001F83275}3⤵
- Executes dropped EXE
PID:5068
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC9C1DD1-CDE9-4C6B-8AB6-25854F55F739}3⤵
- Executes dropped EXE
PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6969DF0D-09E0-40DC-BFF7-091AE2A58A0A}3⤵
- Executes dropped EXE
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{001376BE-FC22-4FAB-8A64-B34251AA881B}3⤵
- Executes dropped EXE
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isC6ED.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7EE9A6D8-8995-4E4D-8BB2-C6CDD00C7C0B}3⤵
- Executes dropped EXE
PID:4828
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A282B6D-B9B8-4BB2-A2F3-C56715A9EFB8}3⤵
- Executes dropped EXE
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{067AEEFE-5D6C-49B8-9C57-E06218FE22F4}3⤵
- Executes dropped EXE
PID:3212
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{68539B0B-F06F-4827-B28E-863F2B524E9F}3⤵
- Executes dropped EXE
PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4212138-4344-44CB-9515-FCCB4B933366}3⤵
- Executes dropped EXE
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49D47F66-3C98-4FBD-96B9-D9041F274F36}3⤵
- Executes dropped EXE
PID:2268
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4B24B32-3C8D-43EB-9833-3726BEA6D215}3⤵
- Executes dropped EXE
PID:552
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3105DBD8-73FF-40B4-8869-3DB178DBE5BE}3⤵
- Executes dropped EXE
PID:4968
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E9837DF-791D-4A86-9B4E-0EAD97C7EEDC}3⤵
- Executes dropped EXE
PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5D356A9-CF49-48D1-9F23-ED1ACD70A7C9}3⤵
- Executes dropped EXE
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCB15.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C62617F-BF8D-43AB-94CB-A7E3DB76B32B}3⤵
- Executes dropped EXE
PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C84EB05-242E-4BCB-8EBC-98C0FA62D7F4}3⤵
- Executes dropped EXE
PID:4468
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59627080-12D1-4A4B-BD1B-82F5E32B9A6C}3⤵
- Executes dropped EXE
PID:4840
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEA52284-143A-44B2-9674-4E1AF4B33426}3⤵
- Executes dropped EXE
PID:1048
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EAAB128-0A08-4CA9-86CE-2190AC3D13FA}3⤵
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{68205F04-25F8-4DC1-9B39-9A5B070B5C6F}3⤵
- Executes dropped EXE
PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F49F46E-1E3F-453F-94B8-EACE3E17F0D9}3⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5EC4FDC-0BD2-4E72-A74C-D9E14A704C7D}3⤵
- Executes dropped EXE
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D0D3E09-624E-4D0F-A8F8-ACE2BED4FB11}3⤵
- Executes dropped EXE
PID:4224
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{086CABF4-4517-484A-83A0-F72E233F8AE5}3⤵
- Executes dropped EXE
PID:664
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isCE71.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49341580-0F43-4F7A-9D94-8260FBC90900}3⤵
- Executes dropped EXE
PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C627C1DC-133D-4EC1-8A47-293B66602B44}3⤵
- Executes dropped EXE
PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FCB1B89-E873-46FE-B633-C85460E81D31}3⤵
- Executes dropped EXE
PID:972
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0F47653-F064-4EE7-A288-D8CFAC1940D5}3⤵
- Executes dropped EXE
PID:1968
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3328359A-C5D3-4296-AB64-CA5D0778680E}3⤵
- Executes dropped EXE
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F4C1DE4E-EEC0-484A-B6E9-A5CB0735D55D}3⤵
- Executes dropped EXE
PID:1384
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D0F370B-2311-4EEF-8C1B-748725F52ED1}3⤵
- Executes dropped EXE
PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6E047DD-DE1D-4840-A184-B5E68C9D418E}3⤵
- Executes dropped EXE
PID:4132
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B00FECA-6CA0-4E85-8F40-2ECE05A26C7B}3⤵
- Executes dropped EXE
PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC79DBB0-2D35-47D0-BE9F-41FE43401FA0}3⤵
- Executes dropped EXE
PID:2884
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD0B4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F862AA76-1158-4EE3-A3FD-8D596217D848}3⤵
- Executes dropped EXE
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14625310-99F9-48B4-A696-1965D4E659B3}3⤵
- Executes dropped EXE
PID:2248
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B07F04D1-EA9F-47EC-8EC5-388FF838ADCC}3⤵
- Executes dropped EXE
PID:1260
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{86118E2F-74F6-4940-A4E1-619994161C50}3⤵
- Executes dropped EXE
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{01C8F81B-CCDA-41B2-A3B9-DF1777E241FD}3⤵PID:3852
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{21C5B2A1-AC3B-43EF-97C4-9B87CB2E4C94}3⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60E6EDBF-F037-4BF6-B412-615E8556CC57}3⤵PID:464
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4032A877-22CF-4C19-B66D-9976FD76A4A7}3⤵PID:2940
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2294C6A7-DB33-459F-8DFD-DE14C715911D}3⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7F9C297-4828-4305-A4EB-F75E4FC5FA13}3⤵PID:624
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isD2E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13354034-7DE8-479F-97AE-3A2460652C9F}3⤵PID:320
-
-
C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe" /embed"{271039C0-765B-46C0-B32F-504E387741D4}" /hide_splash /hide_progress /runprerequisites"Suite8,System,Common,DTS,Evolver,EvDocEN,EvDocES,EvExEN,EvExES,EvResources,EvXDK,GAC,NeuralTools,NTDoc,NTEx,NTExES,NTResources,NTXDK,PrecisionTree,PTDoc,PTEx,PTResources,PTXDK,RISK,RISKDocEN,RISKDocES,RISKExEN,RISKExES,RISKResources,RISKSys,RISKXDK,StatTools,STDocEN,STDocES,STExEN,STExES,STResources,SysResources,TopRank,TRDoc,TREx,TRResources,WinSys" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST\""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\{0E75F32D-463B-491D-80B1-2858647E6109}\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\AppData\Local\Temp\{0E75F32D-463B-491D-80B1-2858647E6109}\RiskPlatform-cust-Setup (1).exe" /q"C:\Users\Admin\Desktop\RiskPlatform\RiskPlatform-cust-Setup (1).exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{0E75F32D-463B-491D-80B1-2858647E6109}" /embed"{271039C0-765B-46C0-B32F-504E387741D4}" /hide_splash /hide_progress /runprerequisites"Suite8,System,Common,DTS,Evolver,EvDocEN,EvDocES,EvExEN,EvExES,EvResources,EvXDK,GAC,NeuralTools,NTDoc,NTEx,NTExES,NTResources,NTXDK,PrecisionTree,PTDoc,PTEx,PTResources,PTXDK,RISK,RISKDocEN,RISKDocES,RISKExEN,RISKExES,RISKResources,RISKSys,RISKXDK,StatTools,STDocEN,STDocES,STExEN,STExES,STResources,SysResources,TopRank,TRDoc,TREx,TRResources,WinSys" /l1033 /v"TRANSFORMS=\"C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST\"" /eprq /IS_temp4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{0E75F32D-463B-491D-80B1-2858647E6109}"5⤵
- System Location Discovery: System Language Discovery
PID:1524
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1416
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BC03015D7FCC28CF7ACF7262CEB1DB462⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F03B710C-9E30-4133-973D-7E661DAA736A}3⤵PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4D7D47A-5F67-4B0A-BA5C-C250A7AD2A5A}3⤵PID:4896
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E6FE42B-4E68-407A-90D0-269A8A8E442A}3⤵PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F54E3463-C9C0-4441-8B54-7FC904791A5F}3⤵PID:4248
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54D796E7-9F27-4817-859F-4653FC9E2BCB}3⤵PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{75903530-6C31-4F96-87DE-822AD086FC91}3⤵PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F04C3655-9CA1-4D0D-85EF-DD4FFD57457F}3⤵PID:1004
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{747DB8FD-136C-4487-8808-200D9E1B7BD2}3⤵PID:4308
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0ACE10B-12A4-42EC-89A7-A5FD7A893B6F}3⤵PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is6CB1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{53638C01-0167-4C91-8734-43B4C8058FDC}3⤵PID:3616
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8555AF26-32BB-4467-89CA-7D2D27859DC1}3⤵PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F29646F-A332-4F3F-941F-BB315B6C926C}3⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{582C1338-E96B-4E32-9EEE-76D56561C1E8}3⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4864150-B9EA-44C9-8416-6758013CD571}3⤵PID:3784
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2FB33DBF-CC82-4D5B-BD06-B912C332DEA5}3⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D808A385-E072-459B-9FF6-0B1AC9AC3C78}3⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5476C6C3-EFFF-479C-A32F-833B23C8FFD6}3⤵PID:4664
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BCDB3F9-15B5-4E8B-9E08-393247CD59A9}3⤵PID:4244
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F34CF7D-9EAC-4CFD-9FCD-11A8877D8528}3⤵PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is70E8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{240BA31E-0778-4BFF-8A6E-7E204C96542F}3⤵PID:4804
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4602526A-3DA1-4472-AA18-65A757428659}3⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D89932CC-96E0-4C02-A347-BFEFDCE2FD48}3⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{884B83C1-673D-427D-8227-0A273735BD52}3⤵PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{86B0F3F2-F742-42F5-B312-D7A480A842AF}3⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B9D2BAC-1ADE-4642-A87D-063140218A04}3⤵PID:4800
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{462161F4-8B88-4DED-8CAD-8A92CB19E335}3⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18D06507-6662-443C-9C06-5DFB067A24C9}3⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBB09EE1-09B1-45DA-BD7C-AC1F016A7368}3⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D17C7FE5-C73B-4111-A094-CC901C8DF330}3⤵PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7696.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C677571B-8FD6-47C1-8D97-48B9B852226A}3⤵PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DCD4B7AF-9237-4121-BC94-51DFC3C5A842}3⤵PID:876
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFBC4E50-1DEC-426C-8A91-E0809464CD78}3⤵PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CE9A32A5-6652-4C3B-A7ED-1C915E0BB125}3⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD4E96FC-79F0-4C83-A3EC-CA7B644C0BBF}3⤵PID:4924
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E1B3566F-38CC-486A-A326-76D451A63E4C}3⤵PID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{884E8F24-6B69-462E-A87C-6B28AD5BA73A}3⤵PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B37BDED1-D934-4758-9BCF-2F7B5CF32615}3⤵PID:1064
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCA9C30F-7281-4285-83A6-8BE50DF8DDEF}3⤵PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4CDED6AF-9DE4-43B5-B792-59886CE82FF8}3⤵PID:5084
-
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exeC:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_is7937.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41774611-CA4F-4858-802F-01D56AEB57F0}3⤵PID:3264
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B36D8C0-8E0E-4A73-B8D6-7C2C96FD78FC}3⤵PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05299ABB-28F0-4E32-9F09-778921A5FAA0}3⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5D77E10D-7D7C-4147-95CD-3F0420A5F49D}3⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6818371A-4252-47A2-B237-22105CF1CB60}3⤵PID:4800
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{887B427A-E0E2-447D-B61B-86A350C4BB30}3⤵PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FBC61DC5-9BC8-4A3C-8E56-75071B5CB34F}3⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0835A4F-B16E-4C71-9716-CD08B7E47611}3⤵PID:4744
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6337747D-4CAB-4CCF-99FC-4630CE9EA12C}3⤵PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D025D15A-713C-44B2-AFA2-2BCD3FCC0E66}3⤵PID:2452
-
-
C:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exeC:\Users\Admin\AppData\Local\Temp\{187F2E97-0AE0-414F-8087-84C7BE092716}\_isE6C8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C1B124F-6BE1-49A4-A98A-50AC8D97570A}3⤵PID:3468
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 55231C3A49914D794F5B4D77FCA63515 E Global\MSI00002⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B645EF9F-9578-47D0-AACC-BD6232719170}3⤵PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6AFF7510-46BC-459D-843D-2921C03A4A6E}3⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CB3ADFAE-BF26-4586-AEB4-CDD0EC9A4CCB}3⤵PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2084AB2-3114-44D8-806E-6AE33FCA7A2A}3⤵PID:404
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5BFB580B-49F4-4D02-A4A0-CFF99669481C}3⤵PID:3148
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C530ED2-7C15-41A8-8CC7-B6D994B14321}3⤵PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{103D2A1A-8075-4421-8DA3-F5516EECAC9E}3⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4EA2FABE-35E8-4C1B-8EE4-433AC7783C1E}3⤵PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96554FE6-999D-4053-AD2E-AE554DA64D5A}3⤵PID:3380
-
-
C:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exeC:\Users\Admin\AppData\Local\Temp\{3C31685D-2062-4A57-99E5-1A2AB562CBC7}\_is82F8.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EED50A27-1932-4E5D-818C-6026ADA473CD}3⤵PID:532
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7CDF027-8186-40A7-B485-753C3909ED2F}3⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{79E8E965-8B88-453C-A719-97282F317418}3⤵PID:3508
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9D2BF48F-2066-4625-9529-A554ACD95078}3⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDFBFA88-BD16-490B-B4C5-DAF62967A504}3⤵PID:4204
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2FEC85ED-4FE1-4D7E-A221-CBF187BDC504}3⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E112199-CF23-4D2E-88BA-D35216AC95D9}3⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E24C3DE3-7E19-4527-8D86-CBAACFAE6BC4}3⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ED80B76B-0B38-4238-A372-A494A8F1967A}3⤵PID:5020
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0D32D201-8538-428C-963D-2ED4E5A8E3C3}3⤵PID:3904
-
-
C:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exeC:\Users\Admin\AppData\Local\Temp\{6B82176D-6536-46B5-B91F-CD805BEBF3B1}\_is9F3B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A89784D-6D53-4AFE-9D6E-5E977829C8D2}3⤵PID:4372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.Manager8.dll" /codebase3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3684
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.Manager8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:2924
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.XDK8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:464
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.XDK8.dll" /codebase3⤵PID:4248
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.Testing8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2212
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Evolver.Testing8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:3188
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1504
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:4672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Manager8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Manager8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:8
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Progress8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4452
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Progress8.dll" /codebase3⤵
- Modifies registry class
PID:972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.XDK8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:372
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.XDK8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2372
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.NeuralTools.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.NeuralTools.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:1316
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.StatTools.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.StatTools.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:1640
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Testing8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3760
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.Risk.Testing8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:4952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.PrecisionTree.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2460
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.PrecisionTree.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:1036
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.XLUtil8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4072
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.XLUtil8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:3320
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.EvolverVB6.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4372
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.EvolverVB6.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:3852
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.TopRank.Main8.dll" /codebase3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1004
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.TopRank.Main8.dll" /codebase3⤵
- Modifies data under HKEY_USERS
PID:3244
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Graphing8.dll" /codebase /tlb3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4296
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Graphing8.dll" /codebase /tlb3⤵
- Modifies registry class
PID:4968
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Core8.dll" /codebase /tlb3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1280
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Core8.dll" /codebase /tlb3⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2220
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Licensing8.dll" /codebase /tlb3⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.Licensing8.dll" /codebase /tlb3⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.NeuralNets8.dll" /codebase /tlb3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1416
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\Palisade.DT.NeuralNets8.dll" /codebase /tlb3⤵
- Modifies data under HKEY_USERS
PID:3352
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\OptQuest\6.6.1.16\ComOptQuest.dll" /u3⤵
- System Location Discovery: System Language Discovery
PID:4868
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\OptQuest\6.6.1.16\ComOptQuest.dll" /codebase /tlb: ComOptQuest6.6.1.16.tlb3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3988
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\OptQuest\6.6.1.16\ComOptQuest.dll" /u3⤵PID:3616
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe "C:\Program Files (x86)\Palisade\System\OptQuest\6.6.1.16\ComOptQuest.dll" /codebase /tlb: ComOptQuest6.6.1.16.tlb3⤵
- Modifies data under HKEY_USERS
PID:4444
-
-
C:\Program Files (x86)\Palisade\System\PalGraph8Server.exe"C:\Program Files (x86)\Palisade\System\PalGraph8Server.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2264
-
-
C:\Program Files (x86)\Palisade\TopRank8\TopRankOutOfProcessServer.exe"C:\Program Files (x86)\Palisade\TopRank8\TopRankOutOfProcessServer.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Program Files (x86)\Palisade\TopRank8\TopRankProgress.exe"C:\Program Files (x86)\Palisade\TopRank8\TopRankProgress.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
PID:3532
-
-
C:\Program Files (x86)\Palisade\NeuralTools8\NeuralToolsOutOfProcessServer8.exe"C:\Program Files (x86)\Palisade\NeuralTools8\NeuralToolsOutOfProcessServer8.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
PID:552
-
-
C:\Program Files (x86)\Palisade\Evolver8\EvolverOutOfProcessServer8.exe"C:\Program Files (x86)\Palisade\Evolver8\EvolverOutOfProcessServer8.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4612
-
-
C:\Program Files (x86)\Palisade\Evolver8\EvolverWatcher.exe"C:\Program Files (x86)\Palisade\Evolver8\EvolverWatcher.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
PID:3712
-
-
C:\Program Files (x86)\Palisade\NeuralTools8\PalNTSvr8.exe"C:\Program Files (x86)\Palisade\NeuralTools8\PalNTSvr8.exe" /REGSERVER3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4860
-
-
C:\Program Files (x86)\Palisade\StatTools8\StatToolsOutOfProcessServer8.exe"C:\Program Files (x86)\Palisade\StatTools8\StatToolsOutOfProcessServer8.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Program Files (x86)\Palisade\NeuralTools8\PalNTSvr8.exe"C:\Program Files (x86)\Palisade\NeuralTools8\PalNTSvr8.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:404
-
-
C:\Program Files (x86)\Palisade\NeuralTools8\NeuralToolsOutOfProcessServer8.exe"C:\Program Files (x86)\Palisade\NeuralTools8\NeuralToolsOutOfProcessServer8.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:5036
-
-
C:\Program Files (x86)\Palisade\TopRank8\TopRankProgress.exe"C:\Program Files (x86)\Palisade\TopRank8\TopRankProgress.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:2004
-
-
C:\Program Files (x86)\Palisade\TopRank8\TopRankOutOfProcessServer.exe"C:\Program Files (x86)\Palisade\TopRank8\TopRankOutOfProcessServer.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:1864
-
-
C:\Program Files (x86)\Palisade\PrecisionTree8\PtreeOutOfProcessServer.exe"C:\Program Files (x86)\Palisade\PrecisionTree8\PtreeOutOfProcessServer.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5020
-
-
C:\Program Files (x86)\Palisade\System\PalGraph8Server.exe"C:\Program Files (x86)\Palisade\System\PalGraph8Server.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2184
-
-
C:\Program Files (x86)\Palisade\Evolver8\EvolverWatcher.exe"C:\Program Files (x86)\Palisade\Evolver8\EvolverWatcher.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:3764
-
-
C:\Program Files (x86)\Palisade\Evolver8\EvolverOutOfProcessServer8.exe"C:\Program Files (x86)\Palisade\Evolver8\EvolverOutOfProcessServer8.exe" /regserver3⤵
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D39CF9E8-F5C3-4424-9567-07CB5A010F24}3⤵PID:3228
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28E3BDA2-1C44-4A1F-9714-6A0FC72F8CA2}3⤵PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8DB92B99-00B1-4E98-B293-49AF80C6BBAD}3⤵PID:4464
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2EAC9375-9467-44DB-8DF7-EBADB93541E1}3⤵PID:4392
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3CE83FA5-40BC-4F87-99E0-377728C61D65}3⤵PID:1112
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AAFFE39B-BE5B-4DF9-AED2-2F24EF191132}3⤵PID:1920
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DB4DEB7D-963F-4D07-BA76-49491E1CD225}3⤵PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FC432CC-A607-48F3-9F2E-16FB6781C982}3⤵PID:3900
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9385489F-24C0-49E1-8871-C2961F139397}3⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exeC:\Users\Admin\AppData\Local\Temp\{572B1280-BCAB-4175-B37B-14C3AA57A797}\_isDAAF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{009D64C9-E911-4271-928E-23B3635D0755}3⤵PID:4232
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{705B7349-24A7-4991-BD88-1D9BB401C333}3⤵PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E6BE3591-E5C5-4446-815B-40B94E30B911}3⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DF86A027-6E4A-4D22-8C4E-2971C74B88E1}3⤵PID:4300
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42F79127-95AC-400A-A761-F5895B642BFC}3⤵PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A70AFEC9-25EB-47CB-8DF6-9A296B1373E7}3⤵PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7ECBEF9-2C7E-4A54-A85B-E84E724B8965}3⤵PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D190956-7349-4076-85B9-A303F298CCBB}3⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0E4DE9DA-974B-48B7-90F9-D2C22EA9E76A}3⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E503C6E8-0FE4-4B86-8397-B7EC309206B5}3⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exeC:\Users\Admin\AppData\Local\Temp\{6BDD6E4F-276E-4BA4-B494-7F12674F5DF5}\_isDE88.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9361FF1B-169F-4E98-A6D5-69D2B0BCC8A0}3⤵PID:1100
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D970723-3F29-4C07-8CE5-BF947EF18364}3⤵PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C9D2A936-63F2-40BE-B367-C3C9C8F693D1}3⤵PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F32F2DE2-CC3A-4A4B-A9D5-6CF2772413D5}3⤵PID:116
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69E6C720-05E5-4070-8BCB-5C801B00CD35}3⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C1BAAF9E-7058-4102-B064-AAA594516B19}3⤵PID:2656
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2119C46E-5499-4F51-898C-5FC727988A61}3⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00030869-4597-48BE-BF5C-7E1B4598C34F}3⤵PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{95E2F86C-E894-45B2-8E18-4628D886017D}3⤵PID:2136
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{68CCEAA9-CCFA-4518-91F8-AB4151A43642}3⤵PID:1252
-
-
C:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exeC:\Users\Admin\AppData\Local\Temp\{47641A19-5B4E-497C-8C72-35EDDB104DEB}\_isE224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C74BB05A-2605-40BD-9D3A-E54DEE1E7CF2}3⤵PID:4596
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DF624999-FB3B-4609-823D-7A7D4475CE71}3⤵PID:4380
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34D8B236-9DCC-4D99-B81A-144D1782B281}3⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F6EEC61-E458-4DC6-AFB3-B2317175C024}3⤵PID:4000
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82A95484-87C8-413B-A759-E0E09FE53CF5}3⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0D391EE-D232-48C9-AE9E-1BBD8E66B0CA}3⤵PID:1464
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51F65BF2-E6D8-4055-89EE-771BB89BF149}3⤵PID:4976
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{953B5D21-2482-458B-82F3-CAD1C18C9FA6}3⤵PID:4556
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FB03BE1-5536-4BA6-97C9-3B7CE651BF3C}3⤵PID:4816
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4ECE292-3011-4791-B09B-2471327AE068}3⤵PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exeC:\Users\Admin\AppData\Local\Temp\{CE09112A-3FD7-4A7D-8163-97DC7520D189}\_isE3DB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3401F6C6-1D9D-4331-B1C9-C2175B14AC08}3⤵PID:3900
-
-
C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe"C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe" -Server -Installer3⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\RICHTX32.OCX"2⤵
- System Location Discovery: System Language Discovery
PID:4744
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2768
-
C:\Program Files (x86)\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe"C:\Program Files (x86)\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2000
-
C:\Program Files (x86)\Palisade\System\Palisade.PrecisionTree.Launcher.exe"C:\Program Files (x86)\Palisade\System\Palisade.PrecisionTree.Launcher.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2792 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2916 -
C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe"C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe" -Server3⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
-
C:\Program Files (x86)\Palisade\PrecisionTree8\PtreeOutOfProcessServer.exe"C:\Program Files (x86)\Palisade\PrecisionTree8\PtreeOutOfProcessServer.exe" -Embedding1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Program Files (x86)\Palisade\System\Palisade.DT.SoftwareUpdater8.exe"C:\Program Files (x86)\Palisade\System\Palisade.DT.SoftwareUpdater8.exe" 3 3 8.6.1 21 8.7.0 365 False 8/8/2024 1 https://update2.palisade.com/updates/?pid=1400-i-8000-r&devid=0 -1 False False 0 132060 92⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Program Files (x86)\Palisade\System\Palisade.Risk.Launcher.exe"C:\Program Files (x86)\Palisade\System\Palisade.Risk.Launcher.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:624 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2316 -
C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe"C:\Program Files (x86)\Palisade\System\PalFlexServer8.exe" -Server3⤵
- System Location Discovery: System Language Discovery
PID:1796
-
-
C:\Program Files (x86)\Palisade\System\Palisade.Risk.ProgressProcess8.exe"C:\Program Files (x86)\Palisade\System\Palisade.Risk.ProgressProcess8.exe" -21474836483⤵
- System Location Discovery: System Language Discovery
PID:4556 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 15604⤵
- Program crash
PID:5920
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://help.palisade.com/v8_6/en/Guides/@RISK-Getting-Started-Guide.pdf3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ff9c0c646f8,0x7ff9c0c64708,0x7ff9c0c647184⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:24⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:84⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:14⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:14⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5224 /prefetch:64⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:84⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:14⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:14⤵PID:5300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14691379153677733008,11878536667755775541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:14⤵PID:5472
-
-
-
C:\Program Files (x86)\Palisade\System\Palisade.DT.SoftwareUpdater8.exe"C:\Program Files (x86)\Palisade\System\Palisade.DT.SoftwareUpdater8.exe" 0 3 8.6.1 21 8.7.0 365 False 8/8/2024 1 https://update2.palisade.com/updates/?pid=1400-i-8000-r&devid=0 -1 False True 0 263124 93⤵
- System Location Discovery: System Language Discovery
PID:4232
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1596
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4556 -ip 45561⤵PID:2884
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3732
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:4376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
460KB
MD5fa45b632e47b25285afd64eae0862555
SHA1af46d56cfa568105c289f1d3e82abf5e1bfb2373
SHA256e061d48993688989d341d43610a14c6d098b742153a118ad70947f501bb89a1f
SHA51255c166d534f8739aecccdff7300b2454dda6ae80a44c50351d56ccf99fb376dfb2319ef09ed7703066a76ce243ab24eb095777753896aee71721c6e369747f2c
-
Filesize
340B
MD5fc26eb1a48777464babd0325ee2bc13c
SHA136bb308af0215a04318f3026301cb70a33590032
SHA256f443a0cca74e71fc190928e2923baf493a9175daeffa94a709bb916610d4b220
SHA512c7eb1773e14cd59e6d608b1ff830136c371ee952d5f3a9b96def35163e1f1ead92fb93f86ca9f346ca2eab2c54caaf7e9c9f54449c96b36c12334b9cc3272cc2
-
Filesize
380B
MD5913e6e083fe41536ded2c046ebfa7ab9
SHA1d9ea56d2f480605351d441a203ef078aa2664e9b
SHA2562febd04c771562610e3a71050392265015b904ea0ae9a8d1f243cd708a196e6a
SHA5124e8749cd661dc5710d676952078cddcbf7cc498fc7eea67fe3651829f6e4989f53a1441fd3cc6d6af61e6240cf8c06868990b15161521c279b7ce6140ded0cba
-
Filesize
405B
MD5066ac70d36c8366513498d5bd1affeeb
SHA1c4cf43b1ace6d981c1a6250445ccde4c3c266e51
SHA2561d785931bbd20c2a606f3994fa6dfd4e73d531683573cf35d103f1e636ee3f71
SHA5123c9f37e589ca851133b3d99a62665c1006ea48b6c81b396cd66514ad6c18397ffe14738094194ee026b284517fdcbf5bf48b65d9ca22f088b7cbced486cc43a6
-
Filesize
111KB
MD5c92997d1d8a43006a95138be1030c011
SHA14d04428eecce6fe7faad36d7eb430c0ba55861e2
SHA2567f459caee68b81703d3c6bde87d3d50524606b89c8afcbde89ed9ef2eea8a0c3
SHA512c092e93955821e78322a69292ceffabfe1cf4ac1ade23202e1abc098f918504d80c1f12c1bbe7a9eab6b30b5736756504af8d8ccb751e55bea03c21a93fec224
-
Filesize
111KB
MD51cb660ce4f4c53255c36f48c92f9727f
SHA140368a284b4bb09796c23d54e9ea72e594887704
SHA256da42ca8f52eac1de8d82aef49bd737139118ea9a9e3863ae63e30d2a2ad5df4c
SHA5123e8509525784c0257b8b58c8789e9453841e0413dffd0f61e6968c0a9083d320b45bdb12700ec7812131f6d0ceed4fe10ed9892f24fd0dacb03edfdd0094030e
-
Filesize
111KB
MD545a1cbbe06f78a07d758e30a59d3f1e7
SHA1d4cb4f1758e4bc1889d01469635c862901a2132d
SHA256fe43a49aec222d42fb4b14d1bd6ae22fbae09b9ff1245f882b621a901e696cde
SHA5123b713f9a7b4458355d3b71be2201b7a5375ec86a0a637dd0bd0fea81d7ab7ed0be0daebfc04ed217a80373957382623b3310909ba1a99f4e07956e33c5ac97e9
-
Filesize
111KB
MD5e6bbe91df1d0d3e295e3df8b70b62c6c
SHA13b76c7095c037bebd9385a385df70809ec62b7f2
SHA2562cb5963b40092ca6c7507b5eb4feabaf36119da7ef32513478442e9ea057de80
SHA5126f44dfcbebf138108c9d76ade55f9c803fd190bde98d83ba7a4a8629435db6a38d2133dee48513ebbedaa4a457200e40f57050048f58c10a14f29531a3718229
-
Filesize
111KB
MD5e5179888e05ef9860c23dc5124e379d6
SHA18c0a08117a19efd8602eb16b2a47f935026487de
SHA256c92549f2888378f270d95269a866199238f4fce32ac5445cc96e70963e33b062
SHA5123437ceed9473a826ee0190c528daa8e9595a5ac56a7dcbf0489ff940a09e11db55ee09ea479063c2b8b3b039b55b06c3a43b6933b9191e2fb1cf08b440c11c1d
-
Filesize
111KB
MD52f90ac665b9bd329daab06afa397f913
SHA1fa8d60ed4345fbaaf8abc3f49499c701afde95b4
SHA256a85404c8446939060318417b1f51808b728dea752f9652d7749213c2097a4b07
SHA512be3a220c850a7bdf4244bfc9fe0f7c4cba471472ce96f9f752f7f7dadc2cb1bfb9ff59ddedb52ac00fb61529d3502676100a2ede2cccb04b890d54bedff7220e
-
C:\ProgramData\LexConf\data_D3C4F66AC5DAAC424CF7BFD1B3B3AB7B1B48CB5AE1247E213FD87838EA9A21E3.conf_temp
Filesize3KB
MD5594ffeefb97d912c0930bde3ac82843e
SHA1c5588b10465e44f6c21080ee4d23fed04ccc1dbd
SHA2567fea1170df22413d0b64735b3697a9d679a7671489ec1b406559d4441071f65a
SHA51228a9779490c8ec6cb9e8d11fc25663fabbf2d8d503b8bdeabc5700f7492cec261568df072370a0e144030e63a3d1155268c276f1e21fe06c3e2701fd5a8d90f6
-
C:\ProgramData\LexConf\data_D3C4F66AC5DAAC424CF7BFD1B3B3AB7B1B48CB5AE1247E213FD87838EA9A21E3.conf_temp
Filesize4KB
MD5a361f6acc23e0bae5d0bd58fa8f940d4
SHA1c77dd99626f8c762e8220ed6a70396536ea43ea4
SHA256fc7b9b54e6115929b6e450cda1d3ae733712d3f08f0ee3bba3a51d7d71ac1e93
SHA512de023aafe7947172730b0849328829669d80a89b1b7846a1aa5528e32338c696485c786e5d3135b0b2121980e81260d45e38972c7c7e795247a07df44e3e5ed8
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST
Filesize20KB
MD5224488ca46d31d75ec1273c18c86c2b8
SHA19b4fed8c4fc1ae2177dcdc1d7cc299f2db13a658
SHA256b37d63916ed99404f2b1222e8030cdafdd78c00511ac269aac1531aeb0235e28
SHA512118fe0337e1c96d6a1ee472f0c6f0862e09c946f4f721c5cbbc9911bf34391b61fb566974562f5a1725f8f47863d3d27e839112b68dfc21dd7eea9e19055e767
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
185B
MD5b9be130fb80dc98ef072621c6b71dd51
SHA1a106366a39b407e277ae6315919b0eb351dd11aa
SHA25621de0dc58c8c397205017dc4045088277ba37976e57704529f941b7afb8f455f
SHA51285a7d59882d7437f312200108f532f17f4d9a11aff8729ce9b0fd1483f2edbd2d2c7a5384e2e496982c7689cd664ad98e0fab30faf3809b2ea3ff7de4dfedb93
-
Filesize
6KB
MD54c59e8172ad864c9bb570556b99df249
SHA10d11793f2e7dba010750a7eabecce4c17e22083c
SHA256deded9f2da39ab2fde97d1a735a6e69df2e4991e4ff1ad3f4e61eaa972ae0525
SHA5125ee5634c329b2966eca0d06df87d1adb1208e2c905b92455c1d0d1f743b56f8f11b2c9cef36d8aca900aa0670cded75a1a21061561cbf9de8d6d81af4eddb143
-
Filesize
7KB
MD56feab0e0d5b5696016d8e389fc54cd1d
SHA18543613d1985403d86675529269be007f10a6449
SHA256be7f24673ce5f49032b31df3e83445bb3ba036264771c5b153d0b5dbe5ff2235
SHA512c5161124012fdbca84a187e53c79a237851fb28131b622705b18557d6a11bfde180a3273a36121f9d96f46cbcd0e04d4f75aa894412bfe4f5fc110775860f622
-
Filesize
6KB
MD52d180cf7bbb030c7ce2385dca9270d27
SHA1137f4581b70964ae60f2183f66f6bf8cf0b73ccc
SHA256ee4a6315d2b70b820bee15699fdd9208b834160d3e48595e4703d79f6b7109fe
SHA512efe979bd126bae881fdbabfc988d57d1e816f547c1d60c49eeaec008d455a9712a079b1f4e09ab40bda2e2442f2f2e7bd3167e736ee81ba0410e1a1fca9f4a4c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5461a2901551542d13d761588ac6b0464
SHA139aadec66ddb211328472340713f253637c52624
SHA256d499b5fbae498bb0045351426b8187e52ee771159a278faf05522e139761b495
SHA5124ac2c0107635923da8444c225ff154b0557b9b39260c489a327e68a857537864f491f80a2969697b2ddc47507fd5582ae950462446d78cf7e8b37411ec543ae0
-
Filesize
11KB
MD53510cb3ddeb322623c682cf7ec5d9862
SHA185fcaf9cd624274b5372dda095499f1e20144896
SHA256a668b82d83a64b77ba1da891ef507a43d3f3f5190b12dad8b9794e06d006dfd2
SHA512ab9881706f5ee6907148af0946285c28eedf6ecd4e037dcddbc95057a4dcabe231f50695d4eb3c68558ccbfea966c16148f81d23c86bd3e538ebb11e1725698c
-
Filesize
68KB
MD532ec7afdf202de5b634318edc602ad15
SHA156d8b59b7a07ee2cafda0dffc564f3e2065580e7
SHA25666ab97db98446da4b4d441ca26e16ea13988774b4800999b3653d2360f14da08
SHA512117742502ca227d06a82378d7fcdc41b8d90138fb09aa8dfebac8ef6835e1bb5e78da9f0c4550d9025a00367be8ddd0fc96d65a37eb8967e27809541f60eb43d
-
Filesize
832KB
MD5913b6675436bf50376f6a56a396e18d2
SHA1d3298e7c8165bdb6e175031e028f5a146bda7806
SHA25674248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7
SHA512281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166
-
Filesize
649KB
MD5a3eb9f540bde891d9d2e28fb901a1d5e
SHA116cf52a5ff4197e060a4e980e11704351c6f9206
SHA25697143ba76bd65c8dee43da06ad1063741a97fc64efd3788e1257cf9d80e827f1
SHA5127e3b6a5f3a55c306d210d3012d668bf4aacc5e1e63e5e1d6cf752a622d16167f1fd205cf87ddd65af0a3631e233791a3206983d9c24f7a19fe9f75bf355d31d0
-
Filesize
1KB
MD586661dbdae2c3cf02983c9180a9872a6
SHA12807d8594f1143436bef51ed9488de475437304b
SHA25648d49a5386cf4c5d0aa28c0082a9301dfca52a93c137c1294ed41792d007f94d
SHA512589db43fb9e7d889648f7a1a90c7985c8ae2974c668b198f7eeb363888979efdc1f1fd9579c491f361449724e247326db4944774c0ba65dd6be12cf5f6e32f1a
-
Filesize
3KB
MD56de7f441d4361338679776373cd43f03
SHA1e07aea31a8c6f9470d6f646b9de6ef994f958b2b
SHA256d629a3c2647a388259ca1306f6948dff11b71800e740d32c94e3faf36227193c
SHA51210195b2319413d757f17f5ab41d8c8746c5a3ecacdf0eeab4ff963dbfccc9aa5ae2dca738f8a54aaaac038f3bf403f7779c362c0ee78d8b784f53dd43da990f3
-
Filesize
4KB
MD5ebb045dcda1ba652019d3b1aeb290c02
SHA1ffbea6ba1a65610bc948aa069b8f77b4536ccf63
SHA256f02e4bcd9ab4aeba69f17ef23bed04c28a91dc7a72cc250e86769a4c9a8d7538
SHA512f69d42bbc0161af78e9c1fada0ef17133642478c28e2ac7a967708f13f8dc28b80f329895738befb8d6a4b3e5ca7a682dca2b15e438ee5e3d313f695df6671cf
-
Filesize
2KB
MD59dd52685b36a75cf38a0a24157943adf
SHA164d6fb810ebcc0e89234cbd68f03362de801ee75
SHA256a31c12fa03af7bd7f83ff7c417f71688120f3323839381ccff079fd6ffa91f81
SHA51216f8c8b488f2addacdf37c6f4271221f1beb2603228a7efb31d02996cab4e3d0d3997ee841be3d6886080ff6b2eae25e32f263353bc4b2b03ed10d64104f1fc7
-
Filesize
3KB
MD5c7229f4de8c0769de404338486be8171
SHA1c83610f430e3fbc0503af7582ef56155a34a731b
SHA256db18ec84e70d76a562ac089e84058c133bc0cbc78a1657fa6f973522066e3a9b
SHA512b3f57d3fb35164c9bec20a47b8a36f9a573390f2b3888de398d65c3e397f4f76ded9678bd7156eede08fa6b571c8e23e0074feb1ea835a73452b6c73e477d901
-
Filesize
4KB
MD546112fd625c1423736268324133fb14a
SHA1934b914ac3839398e3f94262cf08f21f105fef5f
SHA2566aa335815004a7bc6e10bd930e9a304194aa13d542cf87d627d158a35a47777c
SHA5123399097d99a8a874e66c6f8b4b191ef2cff230cffa81700aec82b80ce0b959a5ff49b424039e8639084ebd022d4970d1be86a017c45eade277ff21ff348e870b
-
Filesize
2KB
MD5d1b4e9eb2b687a139f26fd08a4b40dd8
SHA1947e65922d6f53a4a594c663698357bfaa1c2494
SHA2564da8f2b3c19b323791e57fa58b2da88d5208d24bd4211efae19ec0472344831d
SHA51207dde545c8bfc96ae6c8ef4dc38e6e3bb3a168e077efc86975752f253642253b147a42625eca43147b2fc09ca95ed619d4e62f4bde6df71a115382489ade8610
-
Filesize
4KB
MD555be70bcac9d07e8e9dba5dff47d8e06
SHA1c149678999668f4b8e01f47e1741e0f53d60b03b
SHA256b304f34c397514a8fa5cf56abf5c454c1e198920d4751fa97972cff6778bb6f7
SHA5125983e3518eec6bdfec11cb8ce0fe6a53795818d849d2683c28a960e2fb717a722264aa27134ac5734db69acbb10c56f20a42eb04f0a4c8bbc953465159ceb349
-
Filesize
55KB
MD5f0c0daf027ee09a9d9b582a2a690ab73
SHA131631cfa74165d80ff09faa20c40ab5915bfd3b2
SHA2562fc577aaafa555d598d98cd489480874d9df8d4e952e440132d443b607a25733
SHA5120415474551e915df323b670088dd1590c6b3e6068fdea3e78dd7e03609e153808b440401bfe494303d408c6970efa0eaf3933f4f57133c2480e52e5d096fb65a
-
Filesize
56KB
MD5b24463ca681777644a3f8763adf44a11
SHA1c0e6237501109e884afd129f7f3dbd96c393480f
SHA256424a54ebf67f65ccedba4d29b7e084d1330a956dca3a7d746e1ab38604354503
SHA512e487fda17b255204d05dc8ab450e3a6dfc7ee62565f68e3e88a1cfa17bdab0cc819926b8ec748b3985c2f3ca8a12751ce2cf3bff277d89e341ab86c2da9df740
-
Filesize
53B
MD56be5d0719f8d9f2ba45eded9b23eb070
SHA1a22ffe924216fd9a38100d7af62f05d9201f2d49
SHA2569a658b8910d5b8605ac82b65d5addc9ea47ff5a00e4afef2287733d06d2c9442
SHA512999a94c4af96af4983f717879589a833bc6a6b3f90716f18c8d23f4ce5379c59174d0dd165d9443fd1e55f108863ba4e9e7cd9e85ebd1ed12c03aa2c2bf09d11
-
Filesize
3.0MB
MD52c7c549edd5e1e473a62a12bfb1ad6f4
SHA1f6c40927f79a5780ffde1e970893d0435a6c2acb
SHA2565c38ea9e7ca8177346f0a7d7c99148e97f331c52b58a1df71db92b9e339deb62
SHA5129c1454806af469678462bfc72323bbad937876460a12340448cd684fd3504a2e5f332df451655a842024d148299f57482a0c0e4c88577cc2193f88b8f3eb0940
-
Filesize
680B
MD566ed2505e35a9815b9f222af32bb0ae1
SHA119324d9652daf22b58a7ba7a717e1f93aa940d37
SHA25642b1f0a07bb69d8a7ad7bd3dd51f73dcdbe714d6f4ea094fd113d22f56666b11
SHA5123daafda994115773d308824799472bded3550873827f52dbff0abb2734cf9473a9c6c110da8c010d690396798b897e7e1a52a302879337e43a9095982c69c5e9
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
22KB
MD51196f20ca8bcaa637625e6a061d74c9e
SHA1d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA51275e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3
-
Filesize
25KB
MD5b216bc7b827622578e60b0b37ce9c4c0
SHA118eb706aa172440c783382fb317dcb2ef7d04e2a
SHA2564e42d96cf24224d3ed43e7e14227b96fde3b43235636480f8861db0b048ffddf
SHA512e4211ee47bccf98369b7760502cc04e7c036e7ee8eb8a29143519c35cf5295f9984ee8de1fc8d7e93352119f9cf5fcb3412b7e3749b1540fd38af7d996ab0700
-
Filesize
272B
MD5b42097b870d56e024bab2fd10a414163
SHA134126aa3a482097ff259a5e48b5fae8276f9a146
SHA25687f51c0696ec7a8e8f2969077d5ef611d91aa07d75960ea8553232c95767c8e7
SHA51295003bf9bb97a49d54f30c013dbadb6e157c69814a08a018190ea02561a6bd229c90f8bd467887786baeb1de8e1ac56b0ac5597a69bc0561632b914165138494
-
Filesize
680B
MD51276c966e7db6dfe06ae30ef2bb93257
SHA1a54dc69596a021c45c8d7676f5688e52ca94e3a3
SHA25693020ce8cc74ca2d72f12166bed3b04e590dd36836dd5ac4cf2aea2ddf07bb5a
SHA512a8999adf09ff134106bdde49de6317a73f6dec62fe5df439d61cc1fbfc5e469813e605d633c02a28620bdb8c49d8ba8d05ade03aecfaab50523ca1989081072a
-
Filesize
1.1MB
MD5ff43031211486580947f25f293b8125b
SHA131030ea85fce86a7679f80771838d58df631c28c
SHA256423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0
SHA51242196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f
-
Filesize
200KB
MD5a91ba613bbedd1a747aa30429eb5ef9c
SHA1d8ef050068ed45aff403373c1927a66d329ab1ff
SHA256e045e762a7f0fa0a4438f4c8380bf9306c427d0a026e7f0727d7121eb8de5bdb
SHA5129081828c796212b3005cd8e92d0f7a47107e6672f37c05f476cdada175f143a4f1c808a2c1ae8755851448ed64c2eebdff1de2e8453be359319d38229accf05b
-
Filesize
198KB
MD528857f9a5dc8af367e533076267f5b4d
SHA1ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa
SHA2569523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee
SHA5128989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a
-
C:\Users\Admin\AppData\Local\Temp\{6589D08D-F969-406F-AB42-C261A80B99FB}\{0F8E2D92}\_isres_0x0409.dll
Filesize1.8MB
MD58afdae8fe83d1a813b54e48230aed2db
SHA1ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c
SHA256d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6
SHA512fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4
-
Filesize
333KB
MD5536ead0256dea9f0800c3bafec18f376
SHA13943cb5a38f4bc1360ac6933d584b0e3a1a0f49f
SHA256e5df8a434654ab12c5e8b822f170ffb18ffc83d3e5a73ddd06d1cfb87c8e38a4
SHA512ccc0505dcf2194f7bd24e2295171a37a3b5c9430dca7a65c5b68d116f70aab5290e383147ec87d564916e9e5f79ecdeaf00b78ebb5b32788bafd2974986d8d30
-
Filesize
736B
MD5b262d5260776f09078750efc068c50d8
SHA16d3ebc4f6774db9d8c940dcce71221d172b0b3e1
SHA256eefd23ba59d08891d0f98ad7898972d5998a6f8fd3f9ff02c8414420a0df76f2
SHA512f4a72639738ee982b6f8032d47a948845f7b7e8c1604f891a8fd25005d3b1984946db008d2d3acf957250f79ed12a90393ac87efdaf1747ffb8b059795037f5a
-
Filesize
6KB
MD5583bfcc4f65dad72aeb529fbf691451d
SHA12bf1ee1ef6e4d74fe9d04fff8f7ff7fb9e08da45
SHA25612589f3551d3b585d8d3268f0263bad747e8e1ca223412733406f0486d5debef
SHA512ff4f1f8a6dd5e3e7365dc6739573634a0581ab3ba407ab1a2ad3524e90abeca10aea5ccb77ac9be54b6a9f23f973b35a009348f2cfafc23193f8d8fc3ad187e8
-
Filesize
10KB
MD5eb47c190f4fd1b9277f72e3f34bbd5c2
SHA17a69b4b29e38703d83c8c347b9589dfd13d719a2
SHA256f2bfee06550fc5efcb65200cc2fcb765aacf2de268671ac2407f870499f05b87
SHA5123bd2382afa6376ac7f7f9a66ec4c18abbceb4a1ae78b3a59827280f1ceac58b1832046e600b6a0f94dcff82764e9411b5facd0a28db7e219b55accbad6b6e619
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize668B
MD562ba25b0d80649bc932caf1066ec5458
SHA14b8123b9cafc1edf39880de49c4bfe1d63cfdbc4
SHA2567cc515d2390a1ee473b51cf39907ab6c175ee9148b4585e5e76699795cddd058
SHA51261c0348fe92f31e7d5179bdf8e0cbe09e0d165f373a6142b3f26c69618102117f63c1cb40f8280ab9ef978e0118656146defbb8996d96d7a06bd0f407104300d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize668B
MD5c3aad3ce0dac7b12917818c310d0b511
SHA109abb3b708fe64b2128004e3c085c9cdfc73969c
SHA256ba2aae04ef4ce1c81c67a94fc0f7ff2b0a2d6f3e14dafcc5f7284da911692fd3
SHA512150df21d0f63cb253f1d28343a77ca93e2a593f2d4f1f7481945ad9da102a39daee069f33fdc7e5b070d2d46d8193f85745585af6bd2cbddb95f9d17ca67c4b4
-
Filesize
622KB
MD5cdbee49d4b9a86aae00a6d92d6d3823a
SHA1c8d01f5caff9f12f1c332ed533d7d4f6148e8514
SHA2563a6c03a81e2f535274f0ac876d06de1d30004a9a2cac800fbeaa05780efd59bd
SHA5122c731f7c8a74e7f292afb3cbb180872d9435c46e310cf5773ac223790088105595a481fafe86847a8fc8f88be26108bf907958c244adae21145230024a4f4123
-
C:\Windows\Installer\{EBFF011D-73DC-4534-8D3B-A91F62BE1895}\NewShortcut12_7F26251EC52145C18BF10FFAB708FF59.exe
Filesize319KB
MD53883b1a99c872340336f0314fbc5e39d
SHA1998fd150a35d5307ed0ac29e0e6a2eb22fbdac86
SHA25699a8f425a6277282ed4e990893ae0931cbac14e6098bcbf1f21942d0b87c04af
SHA512ac8d524a796d44fd1f5b0b2d68c81de8d64e2a134d6feababea3b3b401f764fe560b18d83d410c706b71e09902725312f7e0ebc93c7d05eedbada867ac932b4b