Analysis
-
max time kernel
245s -
max time network
254s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14-08-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
RiskPlatform.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
RiskPlatform/Palisade_Course.lic
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
RiskPlatform/RiskPlatform-cust-Setup (1).exe
Resource
win10v2004-20240802-en
General
-
Target
RiskPlatform/RiskPlatform-cust-Setup (1).exe
-
Size
271.2MB
-
MD5
be2b654c77086aa5baa154d2f8639c5d
-
SHA1
5b36a274c86f1034c120f5a7e4a689125c609d65
-
SHA256
f43c22f15b646ff3959c6f6f3da5bf98f096865190f35bca6a7dd7cad67a3dcf
-
SHA512
7bb23bc848a3573df1004804f7e400ab619437c11b38ca87f863917f600ec5287891dd4c51b946b2a9473ac1d26e53c5c5afb9bb4c1c71e2c30e7edf96ef1e79
-
SSDEEP
6291456:oZTrrpe49836sgMdytGmc3SVyB9ueg9hUKw0LNz+3R:o9/18KsHdytGmaB9aPUKrCB
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 24 4212 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Executes dropped EXE 64 IoCs
pid Process 3080 RiskPlatform-cust-Setup (1).exe 1400 _isD021.exe 2132 _isD021.exe 2148 _isD021.exe 1072 _isD021.exe 3196 _isD021.exe 4452 _isD021.exe 4348 _isD021.exe 184 _isD021.exe 3476 _isD021.exe 1140 _isD021.exe 3344 _isD4A6.exe 2172 _isD4A6.exe 4888 _isD4A6.exe 516 _isD4A6.exe 5072 _isD4A6.exe 680 _isD4A6.exe 3056 _isD4A6.exe 4592 _isD4A6.exe 4460 _isD4A6.exe 548 _isD4A6.exe 1336 _isD747.exe 4588 _isD747.exe 2668 _isD747.exe 4296 _isD747.exe 4064 _isD747.exe 1804 _isD747.exe 4900 _isD747.exe 2740 _isD747.exe 3764 _isD747.exe 1272 _isD747.exe 4292 _isDAD2.exe 3968 _isDAD2.exe 844 _isDAD2.exe 2088 _isDAD2.exe 3768 _isDAD2.exe 1076 _isDAD2.exe 5044 _isDAD2.exe 1864 _isDAD2.exe 920 _isDAD2.exe 2312 _isDAD2.exe 3844 _isDCF6.exe 5116 _isDCF6.exe 3780 _isDCF6.exe 2476 _isDCF6.exe 4488 _isDCF6.exe 1232 _isDCF6.exe 4844 _isDCF6.exe 1928 _isDCF6.exe 3132 _isDCF6.exe 544 _isDCF6.exe 4516 _isDE9D.exe 5008 _isDE9D.exe 5104 _isDE9D.exe 2148 _isDE9D.exe 968 _isDE9D.exe 3764 _isDE9D.exe 1272 _isDE9D.exe 3632 _isDE9D.exe 3816 _isDE9D.exe 4520 _isDE9D.exe 4560 _isE12E.exe 2696 _isE12E.exe 452 _isE12E.exe -
Loads dropped DLL 30 IoCs
pid Process 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe 4212 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RiskPlatform-cust-Setup (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 840 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 840 MSIEXEC.EXE Token: SeSecurityPrivilege 3016 msiexec.exe Token: SeCreateTokenPrivilege 840 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 840 MSIEXEC.EXE Token: SeLockMemoryPrivilege 840 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 840 MSIEXEC.EXE Token: SeMachineAccountPrivilege 840 MSIEXEC.EXE Token: SeTcbPrivilege 840 MSIEXEC.EXE Token: SeSecurityPrivilege 840 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 840 MSIEXEC.EXE Token: SeLoadDriverPrivilege 840 MSIEXEC.EXE Token: SeSystemProfilePrivilege 840 MSIEXEC.EXE Token: SeSystemtimePrivilege 840 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 840 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 840 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 840 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 840 MSIEXEC.EXE Token: SeBackupPrivilege 840 MSIEXEC.EXE Token: SeRestorePrivilege 840 MSIEXEC.EXE Token: SeShutdownPrivilege 840 MSIEXEC.EXE Token: SeDebugPrivilege 840 MSIEXEC.EXE Token: SeAuditPrivilege 840 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 840 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 840 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 840 MSIEXEC.EXE Token: SeUndockPrivilege 840 MSIEXEC.EXE Token: SeSyncAgentPrivilege 840 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 840 MSIEXEC.EXE Token: SeManageVolumePrivilege 840 MSIEXEC.EXE Token: SeImpersonatePrivilege 840 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 840 MSIEXEC.EXE Token: SeCreateTokenPrivilege 840 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 840 MSIEXEC.EXE Token: SeLockMemoryPrivilege 840 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 840 MSIEXEC.EXE Token: SeMachineAccountPrivilege 840 MSIEXEC.EXE Token: SeTcbPrivilege 840 MSIEXEC.EXE Token: SeSecurityPrivilege 840 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 840 MSIEXEC.EXE Token: SeLoadDriverPrivilege 840 MSIEXEC.EXE Token: SeSystemProfilePrivilege 840 MSIEXEC.EXE Token: SeSystemtimePrivilege 840 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 840 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 840 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 840 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 840 MSIEXEC.EXE Token: SeBackupPrivilege 840 MSIEXEC.EXE Token: SeRestorePrivilege 840 MSIEXEC.EXE Token: SeShutdownPrivilege 840 MSIEXEC.EXE Token: SeDebugPrivilege 840 MSIEXEC.EXE Token: SeAuditPrivilege 840 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 840 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 840 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 840 MSIEXEC.EXE Token: SeUndockPrivilege 840 MSIEXEC.EXE Token: SeSyncAgentPrivilege 840 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 840 MSIEXEC.EXE Token: SeManageVolumePrivilege 840 MSIEXEC.EXE Token: SeImpersonatePrivilege 840 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 840 MSIEXEC.EXE Token: SeCreateTokenPrivilege 840 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 840 MSIEXEC.EXE Token: SeLockMemoryPrivilege 840 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 840 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1840 wrote to memory of 3080 1840 RiskPlatform-cust-Setup (1).exe 87 PID 1840 wrote to memory of 3080 1840 RiskPlatform-cust-Setup (1).exe 87 PID 1840 wrote to memory of 3080 1840 RiskPlatform-cust-Setup (1).exe 87 PID 3080 wrote to memory of 840 3080 RiskPlatform-cust-Setup (1).exe 94 PID 3080 wrote to memory of 840 3080 RiskPlatform-cust-Setup (1).exe 94 PID 3080 wrote to memory of 840 3080 RiskPlatform-cust-Setup (1).exe 94 PID 3016 wrote to memory of 4212 3016 msiexec.exe 97 PID 3016 wrote to memory of 4212 3016 msiexec.exe 97 PID 3016 wrote to memory of 4212 3016 msiexec.exe 97 PID 4212 wrote to memory of 1400 4212 MsiExec.exe 99 PID 4212 wrote to memory of 1400 4212 MsiExec.exe 99 PID 4212 wrote to memory of 2132 4212 MsiExec.exe 100 PID 4212 wrote to memory of 2132 4212 MsiExec.exe 100 PID 4212 wrote to memory of 2148 4212 MsiExec.exe 152 PID 4212 wrote to memory of 2148 4212 MsiExec.exe 152 PID 4212 wrote to memory of 1072 4212 MsiExec.exe 102 PID 4212 wrote to memory of 1072 4212 MsiExec.exe 102 PID 4212 wrote to memory of 3196 4212 MsiExec.exe 103 PID 4212 wrote to memory of 3196 4212 MsiExec.exe 103 PID 4212 wrote to memory of 4452 4212 MsiExec.exe 104 PID 4212 wrote to memory of 4452 4212 MsiExec.exe 104 PID 4212 wrote to memory of 4348 4212 MsiExec.exe 105 PID 4212 wrote to memory of 4348 4212 MsiExec.exe 105 PID 4212 wrote to memory of 184 4212 MsiExec.exe 106 PID 4212 wrote to memory of 184 4212 MsiExec.exe 106 PID 4212 wrote to memory of 3476 4212 MsiExec.exe 107 PID 4212 wrote to memory of 3476 4212 MsiExec.exe 107 PID 4212 wrote to memory of 1140 4212 MsiExec.exe 108 PID 4212 wrote to memory of 1140 4212 MsiExec.exe 108 PID 4212 wrote to memory of 3344 4212 MsiExec.exe 109 PID 4212 wrote to memory of 3344 4212 MsiExec.exe 109 PID 4212 wrote to memory of 2172 4212 MsiExec.exe 110 PID 4212 wrote to memory of 2172 4212 MsiExec.exe 110 PID 4212 wrote to memory of 4888 4212 MsiExec.exe 111 PID 4212 wrote to memory of 4888 4212 MsiExec.exe 111 PID 4212 wrote to memory of 516 4212 MsiExec.exe 112 PID 4212 wrote to memory of 516 4212 MsiExec.exe 112 PID 4212 wrote to memory of 5072 4212 MsiExec.exe 113 PID 4212 wrote to memory of 5072 4212 MsiExec.exe 113 PID 4212 wrote to memory of 680 4212 MsiExec.exe 114 PID 4212 wrote to memory of 680 4212 MsiExec.exe 114 PID 4212 wrote to memory of 3056 4212 MsiExec.exe 115 PID 4212 wrote to memory of 3056 4212 MsiExec.exe 115 PID 4212 wrote to memory of 4592 4212 MsiExec.exe 116 PID 4212 wrote to memory of 4592 4212 MsiExec.exe 116 PID 4212 wrote to memory of 4460 4212 MsiExec.exe 117 PID 4212 wrote to memory of 4460 4212 MsiExec.exe 117 PID 4212 wrote to memory of 548 4212 MsiExec.exe 118 PID 4212 wrote to memory of 548 4212 MsiExec.exe 118 PID 4212 wrote to memory of 1336 4212 MsiExec.exe 119 PID 4212 wrote to memory of 1336 4212 MsiExec.exe 119 PID 4212 wrote to memory of 4588 4212 MsiExec.exe 120 PID 4212 wrote to memory of 4588 4212 MsiExec.exe 120 PID 4212 wrote to memory of 2668 4212 MsiExec.exe 121 PID 4212 wrote to memory of 2668 4212 MsiExec.exe 121 PID 4212 wrote to memory of 4296 4212 MsiExec.exe 122 PID 4212 wrote to memory of 4296 4212 MsiExec.exe 122 PID 4212 wrote to memory of 4064 4212 MsiExec.exe 123 PID 4212 wrote to memory of 4064 4212 MsiExec.exe 123 PID 4212 wrote to memory of 1804 4212 MsiExec.exe 124 PID 4212 wrote to memory of 1804 4212 MsiExec.exe 124 PID 4212 wrote to memory of 4900 4212 MsiExec.exe 125 PID 4212 wrote to memory of 4900 4212 MsiExec.exe 125 PID 4212 wrote to memory of 2740 4212 MsiExec.exe 126
Processes
-
C:\Users\Admin\AppData\Local\Temp\RiskPlatform\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\AppData\Local\Temp\RiskPlatform\RiskPlatform-cust-Setup (1).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\RiskPlatform-cust-Setup (1).exe"C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\RiskPlatform-cust-Setup (1).exe" /q"C:\Users\Admin\AppData\Local\Temp\RiskPlatform\RiskPlatform-cust-Setup (1).exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\RiskPlatform-Setup.msi" /l*v "C:\Users\Admin\AppData\Local\Temp\Risk Platform Installer.log" TRANSFORMS="C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\RiskPlatform" SETUPEXENAME="RiskPlatform-cust-Setup (1).exe" IS_RUNTIME_FILES_LOCATION="C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}"3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:840
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5BA7B9A58ECE630D6A542149B74BBAB0 C2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70A613DB-7A54-48D3-A72E-99C483AB8457}3⤵
- Executes dropped EXE
PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DE0BB4DF-EC83-4891-AD02-99E88D09896B}3⤵
- Executes dropped EXE
PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77E871D4-AD47-439E-B101-4A8D2B400909}3⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{71A7E793-8749-4190-AD02-E7AE3A134B8E}3⤵
- Executes dropped EXE
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0792E604-F9D1-4E5F-83CB-EF28DAE20135}3⤵
- Executes dropped EXE
PID:3196
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60DDD442-CC86-421C-9089-3272F7C51B24}3⤵
- Executes dropped EXE
PID:4452
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FFE8479-30BE-4F89-A750-E646C0616192}3⤵
- Executes dropped EXE
PID:4348
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6F0E0DAD-38F5-48D3-B506-A9913AF1163E}3⤵
- Executes dropped EXE
PID:184
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA9982B6-D652-4211-B864-E6E2BFD989E0}3⤵
- Executes dropped EXE
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD021.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D021F117-EA83-4462-AE70-E299F3E78A88}3⤵
- Executes dropped EXE
PID:1140
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{74CE8622-9F02-4B97-A08D-AF5371DCC371}3⤵
- Executes dropped EXE
PID:3344
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{092608C7-55B6-4057-84FD-32179C9C30A0}3⤵
- Executes dropped EXE
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0978FB0A-7DB7-4466-A39E-E5130940094D}3⤵
- Executes dropped EXE
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{112FC875-0D5A-4528-B8A6-43299DB9C43D}3⤵
- Executes dropped EXE
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2391C783-E40F-45D5-A0ED-014AB7806EAE}3⤵
- Executes dropped EXE
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5747415-A731-4744-A24A-0B9153A530A1}3⤵
- Executes dropped EXE
PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E8D62827-0D49-4BC5-B553-CBB45011CB7C}3⤵
- Executes dropped EXE
PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B721C253-42B0-4BF9-91AC-CE58E341B087}3⤵
- Executes dropped EXE
PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E1704833-EBBB-432B-9E7F-CBEBB6C44136}3⤵
- Executes dropped EXE
PID:4460
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD4A6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC1883F0-0A65-4477-8F6E-7EC937A0A219}3⤵
- Executes dropped EXE
PID:548
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA8A2BC0-DCDC-4136-A62A-C675DBCB0DE7}3⤵
- Executes dropped EXE
PID:1336
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58D7B7A0-E12F-4773-9B97-9F652EE270A1}3⤵
- Executes dropped EXE
PID:4588
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{15E6FE25-6B94-4028-AD39-54FFFC54B7D8}3⤵
- Executes dropped EXE
PID:2668
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BF536860-77A4-4E6D-B556-53A8743916D1}3⤵
- Executes dropped EXE
PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CB00DD0-3150-474E-8995-45AF753458E9}3⤵
- Executes dropped EXE
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F3733F8D-24C3-4276-96BB-99C9267B2917}3⤵
- Executes dropped EXE
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B60285A-E6FF-4C9A-AFF1-208DB06E6ABB}3⤵
- Executes dropped EXE
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D657B9F-77A2-481A-B0DA-755C347DC394}3⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E95A1077-B8EE-40A8-BD7D-50FAA244482C}3⤵
- Executes dropped EXE
PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isD747.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBBEE6DD-9089-461C-9E34-618A7ED4C0FC}3⤵
- Executes dropped EXE
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82484C2C-041D-41CA-8901-80B94033A0F0}3⤵
- Executes dropped EXE
PID:4292
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0D8882AE-5DD4-4A24-9602-F89D69B14AF0}3⤵
- Executes dropped EXE
PID:3968
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C07B8A6B-6CF9-4CEB-8A38-24EA76089A4C}3⤵
- Executes dropped EXE
PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{57CBF5C2-8125-4407-8A2D-D35C4385ADC7}3⤵
- Executes dropped EXE
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E8FBAFEC-00E0-4B84-81E0-FE06E2059ABA}3⤵
- Executes dropped EXE
PID:3768
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F696247-154A-4657-BCB6-56E3EEB4E536}3⤵
- Executes dropped EXE
PID:1076
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E04CCF04-722D-4F54-A6D3-0483EA8AF0A8}3⤵
- Executes dropped EXE
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{790C1EEA-7461-4918-8438-2C6841C9320C}3⤵
- Executes dropped EXE
PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3FD09F6-4476-4C41-9226-A28173E5CDC8}3⤵
- Executes dropped EXE
PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDAD2.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9530B0C7-FD36-4D2F-9EF0-79EC65800D8F}3⤵
- Executes dropped EXE
PID:2312
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C36C9910-0537-48C7-A669-E331B2106E1F}3⤵
- Executes dropped EXE
PID:3844
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85D47B07-F0DE-4FDA-8337-40FA6D2126EF}3⤵
- Executes dropped EXE
PID:5116
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{037D67B5-E3F9-422D-9145-9494C3ADF080}3⤵
- Executes dropped EXE
PID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AADE5F4E-E2CE-421C-A27E-0B6C772585CC}3⤵
- Executes dropped EXE
PID:2476
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C84A9917-48BA-44C8-B620-3C94B6A9A7F0}3⤵
- Executes dropped EXE
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AB215A0-21B3-492D-9506-5C4E23AE2C02}3⤵
- Executes dropped EXE
PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FF825EA6-21F4-42B7-A7AF-7740D8FE3717}3⤵
- Executes dropped EXE
PID:4844
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FD801A2-9B28-4008-BF08-481F535D046E}3⤵
- Executes dropped EXE
PID:1928
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{80376238-BA37-4464-A9C7-01BE75610A01}3⤵
- Executes dropped EXE
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDCF6.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{123D0EAB-B16D-4939-A890-7BFF78848182}3⤵
- Executes dropped EXE
PID:544
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C98D0FF-C5F0-4F27-B2C2-F7AE5DD6FE93}3⤵
- Executes dropped EXE
PID:4516
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8025B60B-CDD9-48A5-A939-6F4E150359F3}3⤵
- Executes dropped EXE
PID:5008
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{71BA124A-0ECD-4580-8F0C-273E3ADFCE37}3⤵
- Executes dropped EXE
PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{23921E68-C62B-43AF-8576-B1E9DF8FA7C5}3⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{803464D7-FF92-49B4-AE6D-2A04AE4F10C5}3⤵
- Executes dropped EXE
PID:968
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9BA336A8-CFB3-4A26-8EBE-CF4285C2EF0F}3⤵
- Executes dropped EXE
PID:3764
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA5004B8-6C63-49ED-9ABC-A1F88CE04B7C}3⤵
- Executes dropped EXE
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99357477-5FE4-4DD3-B950-805666EE88E0}3⤵
- Executes dropped EXE
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3F9B61BA-DCE9-4FA0-974B-E6AE69180A47}3⤵
- Executes dropped EXE
PID:3816
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isDE9D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE3F75DD-A0D3-42E0-8F96-0D5FB04D004A}3⤵
- Executes dropped EXE
PID:4520
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87892A5E-5E93-4F7A-8B8F-67839B313172}3⤵
- Executes dropped EXE
PID:4560
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{878F3DAF-E493-452C-AEE6-36D2FA3D0BFA}3⤵
- Executes dropped EXE
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4D25A347-0E8D-4008-9C03-0E58C16D0D48}3⤵
- Executes dropped EXE
PID:452
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB5D7CBA-55B9-409D-B3A8-2A91F0D3A427}3⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C71F3E7B-08F4-441F-89F1-891B797BB43A}3⤵PID:3908
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E7B7F21D-154C-49E9-A049-D0B5280A42E9}3⤵PID:4276
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B3C08B0-D23E-4A4A-BD1D-9A0A050F78C2}3⤵PID:4832
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAE560E7-991D-4234-82A8-E6BA49635635}3⤵PID:3636
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F295EC3D-F374-4716-A423-485F03A70A39}3⤵PID:4040
-
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exeC:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isE12E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DE1DA4AA-FD09-406F-8794-1E9D637A8260}3⤵PID:4264
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{4B0ACB22-5840-488D-86C1-47907D43E537}\1033.MST
Filesize20KB
MD5224488ca46d31d75ec1273c18c86c2b8
SHA19b4fed8c4fc1ae2177dcdc1d7cc299f2db13a658
SHA256b37d63916ed99404f2b1222e8030cdafdd78c00511ac269aac1531aeb0235e28
SHA512118fe0337e1c96d6a1ee472f0c6f0862e09c946f4f721c5cbbc9911bf34391b61fb566974562f5a1725f8f47863d3d27e839112b68dfc21dd7eea9e19055e767
-
Filesize
832KB
MD5913b6675436bf50376f6a56a396e18d2
SHA1d3298e7c8165bdb6e175031e028f5a146bda7806
SHA25674248f11d83559298aef0396f1d44e3f55f02dfef82c8a3b0678138d65989fd7
SHA512281c47b4cd23481312b783e591a575d73697f7f4063800513227bcf1730da0e81789662a64f9746512f9782084105d5a6a7b60728ffbc502e306c82c9f99e166
-
Filesize
649KB
MD5a3eb9f540bde891d9d2e28fb901a1d5e
SHA116cf52a5ff4197e060a4e980e11704351c6f9206
SHA25697143ba76bd65c8dee43da06ad1063741a97fc64efd3788e1257cf9d80e827f1
SHA5127e3b6a5f3a55c306d210d3012d668bf4aacc5e1e63e5e1d6cf752a622d16167f1fd205cf87ddd65af0a3631e233791a3206983d9c24f7a19fe9f75bf355d31d0
-
Filesize
3.0MB
MD52c7c549edd5e1e473a62a12bfb1ad6f4
SHA1f6c40927f79a5780ffde1e970893d0435a6c2acb
SHA2565c38ea9e7ca8177346f0a7d7c99148e97f331c52b58a1df71db92b9e339deb62
SHA5129c1454806af469678462bfc72323bbad937876460a12340448cd684fd3504a2e5f332df451655a842024d148299f57482a0c0e4c88577cc2193f88b8f3eb0940
-
Filesize
22KB
MD51196f20ca8bcaa637625e6a061d74c9e
SHA1d0946b58676c9c6e57645dbcffc92c61eca3b274
SHA256cdb316d7f9aa2d854eb28f7a333426a55cc65fa7d31b0bdf8ae108e611583d29
SHA51275e0b3b98ad8269dc8f7048537ad2b458fa8b1dc54cf39df015306abd6701aa8357e08c7d1416d80150ccfd591376ba803249197abdf726e75d50f79d7370ef3
-
Filesize
680B
MD5abb6fcd9f45882c086df997ab466bb1d
SHA1a98a0388162c66b6cece959e1560275e7230c0ac
SHA25669d84896a0728ba85fc72a44f69bee5cdc061b8e3c5d3fb737400b75dae11558
SHA5124ccdc9fdeaa4fca2aa43aac9ae0861caae56b46d304d61759cd75fc0b3142f9a595d1822d07aafaf69693807f9d6968193e55f605db7036000438bdd8e4efe7c
-
Filesize
1.1MB
MD5ff43031211486580947f25f293b8125b
SHA131030ea85fce86a7679f80771838d58df631c28c
SHA256423d365b5737f925019c17b478a515b488cc55ea990e6ebeb9a77cdc7e2279e0
SHA51242196211580f2e22fd53dc29f9ce6d560a8cef2e2dae27ce5f5e77457ad9806b66df09aea6c27dfd2fbb781a975fa1c144e215d776ba31b6b9babbcc56190b1f
-
Filesize
200KB
MD5a91ba613bbedd1a747aa30429eb5ef9c
SHA1d8ef050068ed45aff403373c1927a66d329ab1ff
SHA256e045e762a7f0fa0a4438f4c8380bf9306c427d0a026e7f0727d7121eb8de5bdb
SHA5129081828c796212b3005cd8e92d0f7a47107e6672f37c05f476cdada175f143a4f1c808a2c1ae8755851448ed64c2eebdff1de2e8453be359319d38229accf05b
-
Filesize
198KB
MD528857f9a5dc8af367e533076267f5b4d
SHA1ddf08d6ccff46eb14a9441dcd5db0d9c08b424aa
SHA2569523ee07e5591102b16b48a9d7059ddaef997adabac0430d1c2a660d5a45e4ee
SHA5128989f6d28d02f3ae5fc494c4d8a87f9d2fd252dd468418c8410b3dce012ab2913f791f20e020260df294fd2b43d754cf3a4751d1e803825d432202685e51ba1a
-
C:\Users\Admin\AppData\Local\Temp\{BDFEADD8-DD6F-45AD-A714-B1683C440410}\{0F8E2D92}\_isres_0x0409.dll
Filesize1.8MB
MD58afdae8fe83d1a813b54e48230aed2db
SHA1ad456e1f5440dbd40d9e7febbde0bbb3dff3ae4c
SHA256d79fc7fdc396927dac03419eea2f9a326c920a094074eb070aca712cdf0629c6
SHA512fce61a6f14af69495992e6684d821db8332069651ec0c4a47c09e953362b19a5cebdace32e07993533ca0cda8ad6be9ca89ff6c13d4ff5a8b637897c4b5f5bf4
-
Filesize
333KB
MD5536ead0256dea9f0800c3bafec18f376
SHA13943cb5a38f4bc1360ac6933d584b0e3a1a0f49f
SHA256e5df8a434654ab12c5e8b822f170ffb18ffc83d3e5a73ddd06d1cfb87c8e38a4
SHA512ccc0505dcf2194f7bd24e2295171a37a3b5c9430dca7a65c5b68d116f70aab5290e383147ec87d564916e9e5f79ecdeaf00b78ebb5b32788bafd2974986d8d30
-
Filesize
736B
MD5b262d5260776f09078750efc068c50d8
SHA16d3ebc4f6774db9d8c940dcce71221d172b0b3e1
SHA256eefd23ba59d08891d0f98ad7898972d5998a6f8fd3f9ff02c8414420a0df76f2
SHA512f4a72639738ee982b6f8032d47a948845f7b7e8c1604f891a8fd25005d3b1984946db008d2d3acf957250f79ed12a90393ac87efdaf1747ffb8b059795037f5a
-
Filesize
6KB
MD5583bfcc4f65dad72aeb529fbf691451d
SHA12bf1ee1ef6e4d74fe9d04fff8f7ff7fb9e08da45
SHA25612589f3551d3b585d8d3268f0263bad747e8e1ca223412733406f0486d5debef
SHA512ff4f1f8a6dd5e3e7365dc6739573634a0581ab3ba407ab1a2ad3524e90abeca10aea5ccb77ac9be54b6a9f23f973b35a009348f2cfafc23193f8d8fc3ad187e8