Analysis Overview
SHA256
c7a87fff958cb1aa28aba6f3b0cbf5d12fc3cfc45a0cfd7cca6fee91b2a183a2
Threat Level: Shows suspicious behavior
The file 667007558DDRevA.iso was found to be: Shows suspicious behavior.
Malicious Activity Summary
Indicator Removal: File Deletion
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 07:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 07:51
Reported
2024-11-13 07:54
Platform
win7-20240903-en
Max time kernel
147s
Max time network
118s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\setup.exe
C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F8B624A3D0A8F4C9B1EFAD05C2BAA5E9 C
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C95692A5-5270-4F1E-872C-EDB81F04E237}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37B5D32B-F296-41DA-93F4-F4D22AE866F6}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1531699E-386E-4F68-AF87-5DA38B849FA6}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C4D433D0-D3FF-4B13-94F0-742FA4693B59}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B79C3F18-A293-4853-8AD3-DD0AD93FD3FE}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62B5CFCF-3D0D-4AC2-8D70-B8F2EF523312}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2C93044-0AEC-4E4A-AE4A-AEB5A84585EA}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FF7102B5-539D-4F94-871B-0110331EE040}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D2CF0A5-978E-4055-A56F-C9492B851A18}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{297463A4-7976-4B91-8B2D-E55A0D54FDE0}
Network
Files
C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\_ISMSIDEL.INI
| MD5 | 8fdab0388909ff16d4a27f73b3511f5e |
| SHA1 | fe16401517b54411dbe833d87ec682912504e553 |
| SHA256 | 92046416c9db5af45cb323fc7e643a01a0a0a3a98564b01a7d0c34057dbc2fb9 |
| SHA512 | 262a26f8eda69a34b65ef93be7cfb0a8ddbd1ece36fc74d0d1328652d75820badde3ca3c5374c87f7731a7b25b72d670d30135b18be139346aef108819be1ef4 |
C:\Users\Admin\AppData\Local\Temp\~F48E.tmp
| MD5 | a4daf3735dd2a766b3c2e8eb983b0e37 |
| SHA1 | 8e88ee22500d5d7ccf3e35427151fdd9fae1a4c4 |
| SHA256 | 608dcf6491cde1682febaba7aba655aba051fb1d575527abf588c632ee77c04b |
| SHA512 | d53573be71411478be37835dcb8114335a98102e4a37058d0b87e6bb2dfd2149b38883b521822b438178acee2ea9184f4960e15bdfd3e5daec49e2df2a21b10b |
\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\setup.exe
| MD5 | 2e42e896ace4c2601e8b8586aa0b27cb |
| SHA1 | bb97f6b3f3663fc6b0ef65b8fec9cbbf9272d7dc |
| SHA256 | cdc0ead68ddaf9fd6020b06bf11574ab2b59e833c6375c19c92fe5d110cef9ad |
| SHA512 | be4f7c4d0900974c9f6410eab7da46ab8b82620832b6b29d25ed8564dcd872e643dcaec1331adaebdd011a948ad3b8b0e82daa6b928b3119a5e5c8484cbc16df |
C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\issF901.tmp
| MD5 | 47fcf16839beb84274b014b16543156f |
| SHA1 | adf19a36ae6617fd67801d4badf4d372934bef65 |
| SHA256 | 575de84ad866ebe8bdc2adc0b8499f9f03408f1c7866f9f75df018e2a8160679 |
| SHA512 | fc5d68cf6bbd3aaecf0164137dc5c506272c7d3e440d24bf50f1b84e002c0365941a8d04b130fad0b2b4993e1c4e89dbc4327d0f0828a0d1e5552bcf47d4ef6b |
C:\Users\Admin\AppData\Local\Temp\{52C00DD5-F5A1-4C85-BC9C-203F84B89305}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi
| MD5 | 326a49b8c9ed1e9a18598a309ce7ed26 |
| SHA1 | 8da3571ab6bd8c4bca3c50b5094ef4437942f0b7 |
| SHA256 | 6c3e409832ace511635ef8efa17cbfc681a51a0ef957004a874cc320b1957921 |
| SHA512 | 4bef6aaac32e5a6e6e75413cce1c7c7528164a059e6151cd241e567bd8b7c971e64aa6be905f335dfb546db9438554e5ff69326d7b4219dd0c25adfc115d0753 |
C:\Users\Admin\AppData\Local\Temp\{532D5FB6-83F3-4429-9AAD-16F5AA4FB819}\IsConfig.ini
| MD5 | 46f911f8d46827784b2c1cd89d223656 |
| SHA1 | dc8abe7382169891a52078d85aef81f291038073 |
| SHA256 | bc72229e6b2f86ef01c2a8801dd7d8b0125d824844d3fdaf11504d656bd6b010 |
| SHA512 | 531f8c4db964c09aba82447601318a0b045f4e17dcae6ca67037852f24044b61a11f98fa39a5ffb2d3283c12237c19e1f96b4ede736f0ddb105f0b31f5ba6079 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\setup.inx
| MD5 | 1556ee679b5d5dc4e4e6bc3800bb9937 |
| SHA1 | deb733ae33af22588762f8a60b9b11cf27dfa92b |
| SHA256 | 4f0708ca4ef3eb8e7db1eff8b490ea64cccc1ae39e039bb5050a77a507d8a14b |
| SHA512 | 7f50bcf6034bf6be613caf7f0b7c6158ce2caf52376dd817493c203b2086c42f9fe8e83f0796be6b5afefc5595686b8ab232e744ac7f0fa0f28736a54686cb4c |
\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
| MD5 | 40f3a092744e46f3531a40b917cca81e |
| SHA1 | c73f62a44cb3a75933cecf1be73a48d0d623039b |
| SHA256 | 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f |
| SHA512 | 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISRT.dll
| MD5 | 8af02bf8e358e11caec4f2e7884b43cc |
| SHA1 | 16badc6c610eeb08de121ab268093dd36b56bf27 |
| SHA256 | 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e |
| SHA512 | d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd |
memory/2828-120-0x0000000010000000-0x0000000010114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\_isres_0x0409.dll
| MD5 | 90653dafc3399a7f229486bbabb71ce8 |
| SHA1 | 378228cdf6852b6a1ca35756557fefb33a26ca71 |
| SHA256 | d16f868f304663dd4ce9418de1eb684779b7af82eac657799809392f7b3d1d5f |
| SHA512 | efc654d5ac195d98f87630d6a1f77819068546cd75fc84167a2ad832ba5bfef6f4be19b4bc5b3e670066f6718d353ea85474c8801ae0c7e528f57e7a5d8077b8 |
memory/2828-123-0x0000000002DD0000-0x0000000002F97000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\String1033.txt
| MD5 | a00694e91420c6e1aa54b484121f89d7 |
| SHA1 | a930cadc76bd3593eb978f8053b325e5147a5e9d |
| SHA256 | 1a7068090c17f02c0a6eef8d45634b7485b254e6e8262082bb7399223365461f |
| SHA512 | e2a62e7f512f41081b5e7b390cc8af8775eb5f8c27a072029392ec889226894c307068df665da9a89967942a46369ca244abfa060d20ffc34e23b6ee12f11db1 |
memory/2828-136-0x0000000010000000-0x0000000010114000-memory.dmp
memory/2828-139-0x0000000010000000-0x0000000010114000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 07:51
Reported
2024-11-13 07:54
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
136s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Indicator Removal: File Deletion
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\setup.exe
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4C834E221B742C5D328564955EF96BF1 C
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{273B6839-5E6A-4547-B78C-560E9E1599F0}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8218770C-46C9-413B-B3F4-72735AC2E072}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8BF12995-2749-46B6-B3D5-05A9A332E662}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3999B57F-7A72-4917-B074-82A1032EC0FF}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5A8D8FA8-FE0C-47EF-B4C5-01AE63195B8F}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B90F3EF-D174-4F5E-B3FA-4E522105470E}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FC6B676-DFC4-4E20-BDD4-035B3DA398E9}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D09142D3-DB74-4B08-A87B-25EB230FC54E}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2B3A168-8DC0-4A28-BF89-1E360B0ADFAA}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F983EDBD-5BC3-4BBA-833A-0674796B831D}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\_ISMSIDEL.INI
| MD5 | 1b0094367f7af49c6e36e6f91346d3c9 |
| SHA1 | 7f079a78643030f80e4134b3f0c6922af4995e56 |
| SHA256 | aa51e7bbf2954931ef7115c625ab8d4886298c449dd6bffacc3c1a961824b671 |
| SHA512 | 9548a73763066f97444c908bfd84f609660418564e5926f77ce4763bd946338088b855828eaa3985aef9a982002c07e450b064581a551a039d9a923b5ac8c4f5 |
C:\Users\Admin\AppData\Local\Temp\~8658.tmp
| MD5 | a4daf3735dd2a766b3c2e8eb983b0e37 |
| SHA1 | 8e88ee22500d5d7ccf3e35427151fdd9fae1a4c4 |
| SHA256 | 608dcf6491cde1682febaba7aba655aba051fb1d575527abf588c632ee77c04b |
| SHA512 | d53573be71411478be37835dcb8114335a98102e4a37058d0b87e6bb2dfd2149b38883b521822b438178acee2ea9184f4960e15bdfd3e5daec49e2df2a21b10b |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\setup.exe
| MD5 | 2e42e896ace4c2601e8b8586aa0b27cb |
| SHA1 | bb97f6b3f3663fc6b0ef65b8fec9cbbf9272d7dc |
| SHA256 | cdc0ead68ddaf9fd6020b06bf11574ab2b59e833c6375c19c92fe5d110cef9ad |
| SHA512 | be4f7c4d0900974c9f6410eab7da46ab8b82620832b6b29d25ed8564dcd872e643dcaec1331adaebdd011a948ad3b8b0e82daa6b928b3119a5e5c8484cbc16df |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\_ISMSIDEL.INI
| MD5 | c6076e8c2e7c246acbbdeeb00c7e3fd8 |
| SHA1 | 793ae18247355ce84b05db2b4d601c78e6992c6d |
| SHA256 | f8f3cf5b5570c7c8d19cd2fa88c5fde522a7adc41acc2fcbde8aee8662dcf372 |
| SHA512 | 5d49e7a23d6487d54da0483919bec589d42d3c1c8adee8e548b39d5abe7d99fbf12e2664d7a19b32e61749e1b0480907b2a2c1f947ac03f679d98d799a8f613f |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\iss8A40.tmp
| MD5 | 47fcf16839beb84274b014b16543156f |
| SHA1 | adf19a36ae6617fd67801d4badf4d372934bef65 |
| SHA256 | 575de84ad866ebe8bdc2adc0b8499f9f03408f1c7866f9f75df018e2a8160679 |
| SHA512 | fc5d68cf6bbd3aaecf0164137dc5c506272c7d3e440d24bf50f1b84e002c0365941a8d04b130fad0b2b4993e1c4e89dbc4327d0f0828a0d1e5552bcf47d4ef6b |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi
| MD5 | 326a49b8c9ed1e9a18598a309ce7ed26 |
| SHA1 | 8da3571ab6bd8c4bca3c50b5094ef4437942f0b7 |
| SHA256 | 6c3e409832ace511635ef8efa17cbfc681a51a0ef957004a874cc320b1957921 |
| SHA512 | 4bef6aaac32e5a6e6e75413cce1c7c7528164a059e6151cd241e567bd8b7c971e64aa6be905f335dfb546db9438554e5ff69326d7b4219dd0c25adfc115d0753 |
C:\Users\Admin\AppData\Local\Temp\{C7331571-5E2B-4591-9C86-E242A166B24A}\IsConfig.ini
| MD5 | 46f911f8d46827784b2c1cd89d223656 |
| SHA1 | dc8abe7382169891a52078d85aef81f291038073 |
| SHA256 | bc72229e6b2f86ef01c2a8801dd7d8b0125d824844d3fdaf11504d656bd6b010 |
| SHA512 | 531f8c4db964c09aba82447601318a0b045f4e17dcae6ca67037852f24044b61a11f98fa39a5ffb2d3283c12237c19e1f96b4ede736f0ddb105f0b31f5ba6079 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\setup.inx
| MD5 | 1556ee679b5d5dc4e4e6bc3800bb9937 |
| SHA1 | deb733ae33af22588762f8a60b9b11cf27dfa92b |
| SHA256 | 4f0708ca4ef3eb8e7db1eff8b490ea64cccc1ae39e039bb5050a77a507d8a14b |
| SHA512 | 7f50bcf6034bf6be613caf7f0b7c6158ce2caf52376dd817493c203b2086c42f9fe8e83f0796be6b5afefc5595686b8ab232e744ac7f0fa0f28736a54686cb4c |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
| MD5 | 40f3a092744e46f3531a40b917cca81e |
| SHA1 | c73f62a44cb3a75933cecf1be73a48d0d623039b |
| SHA256 | 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f |
| SHA512 | 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISRT.dll
| MD5 | 8af02bf8e358e11caec4f2e7884b43cc |
| SHA1 | 16badc6c610eeb08de121ab268093dd36b56bf27 |
| SHA256 | 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e |
| SHA512 | d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd |
memory/3976-113-0x0000000010000000-0x0000000010114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\_isres_0x0409.dll
| MD5 | 90653dafc3399a7f229486bbabb71ce8 |
| SHA1 | 378228cdf6852b6a1ca35756557fefb33a26ca71 |
| SHA256 | d16f868f304663dd4ce9418de1eb684779b7af82eac657799809392f7b3d1d5f |
| SHA512 | efc654d5ac195d98f87630d6a1f77819068546cd75fc84167a2ad832ba5bfef6f4be19b4bc5b3e670066f6718d353ea85474c8801ae0c7e528f57e7a5d8077b8 |
memory/3976-117-0x0000000002EB0000-0x0000000003077000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\String1033.txt
| MD5 | a00694e91420c6e1aa54b484121f89d7 |
| SHA1 | a930cadc76bd3593eb978f8053b325e5147a5e9d |
| SHA256 | 1a7068090c17f02c0a6eef8d45634b7485b254e6e8262082bb7399223365461f |
| SHA512 | e2a62e7f512f41081b5e7b390cc8af8775eb5f8c27a072029392ec889226894c307068df665da9a89967942a46369ca244abfa060d20ffc34e23b6ee12f11db1 |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\_ISMSIDEL.INI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\{55C2CF2B-90B1-49FA-BE40-0629F26C70C5}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |