Analysis Overview
SHA256
cdc0ead68ddaf9fd6020b06bf11574ab2b59e833c6375c19c92fe5d110cef9ad
Threat Level: Shows suspicious behavior
The file setup.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Indicator Removal: File Deletion
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 10:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 10:04
Reported
2024-11-13 10:07
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
Indicator Removal: File Deletion
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\setup.exe
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1241527D0B15717AD3FB6D95CC24903 C
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E618CDAC-65AF-42E1-AC32-68408E1D860B}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5B6FAC8-1A49-4A1B-B41A-0765564D5832}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E26D4D4-A853-448B-BF2C-73797F7F66A5}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{20FD8D43-3BA7-4E40-8FD3-9785D560FDAD}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27CD7EFC-2161-4938-893F-0B662050AED3}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BC39ED2D-46AD-4E11-9497-DC957FB3FCEC}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96BE2FC7-6D0C-438A-BDCD-87F65CF44638}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50A07F89-CF2C-462D-A0E0-15C8EF988E22}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BF009035-6717-47BA-BC81-77FCA9010182}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1DCEB92E-4FB2-4213-8A35-F0C02FACFCAB}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\_ISMSIDEL.INI
| MD5 | c0c987034daa911c0b7eb47cdcb076ed |
| SHA1 | c97875be7778ae3af8df73209708b11086620a9b |
| SHA256 | 1c3774203bf08d37fcc8819463f3bf1e82dd8c9c5a6b1a8ee29015d761d18f09 |
| SHA512 | 30a06b99c8c9157557f97fe4349e8de2fc77efb341087d5b147647684f5882cf6cd2d8345c5d318d3c5f00a8d71da5f11e6b030ebb817953ee4393f918541b9e |
C:\Users\Admin\AppData\Local\Temp\~56BA.tmp
| MD5 | a4daf3735dd2a766b3c2e8eb983b0e37 |
| SHA1 | 8e88ee22500d5d7ccf3e35427151fdd9fae1a4c4 |
| SHA256 | 608dcf6491cde1682febaba7aba655aba051fb1d575527abf588c632ee77c04b |
| SHA512 | d53573be71411478be37835dcb8114335a98102e4a37058d0b87e6bb2dfd2149b38883b521822b438178acee2ea9184f4960e15bdfd3e5daec49e2df2a21b10b |
\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\setup.exe
| MD5 | 2e42e896ace4c2601e8b8586aa0b27cb |
| SHA1 | bb97f6b3f3663fc6b0ef65b8fec9cbbf9272d7dc |
| SHA256 | cdc0ead68ddaf9fd6020b06bf11574ab2b59e833c6375c19c92fe5d110cef9ad |
| SHA512 | be4f7c4d0900974c9f6410eab7da46ab8b82620832b6b29d25ed8564dcd872e643dcaec1331adaebdd011a948ad3b8b0e82daa6b928b3119a5e5c8484cbc16df |
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\iss585F.tmp
| MD5 | 47fcf16839beb84274b014b16543156f |
| SHA1 | adf19a36ae6617fd67801d4badf4d372934bef65 |
| SHA256 | 575de84ad866ebe8bdc2adc0b8499f9f03408f1c7866f9f75df018e2a8160679 |
| SHA512 | fc5d68cf6bbd3aaecf0164137dc5c506272c7d3e440d24bf50f1b84e002c0365941a8d04b130fad0b2b4993e1c4e89dbc4327d0f0828a0d1e5552bcf47d4ef6b |
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi
| MD5 | 326a49b8c9ed1e9a18598a309ce7ed26 |
| SHA1 | 8da3571ab6bd8c4bca3c50b5094ef4437942f0b7 |
| SHA256 | 6c3e409832ace511635ef8efa17cbfc681a51a0ef957004a874cc320b1957921 |
| SHA512 | 4bef6aaac32e5a6e6e75413cce1c7c7528164a059e6151cd241e567bd8b7c971e64aa6be905f335dfb546db9438554e5ff69326d7b4219dd0c25adfc115d0753 |
C:\Users\Admin\AppData\Local\Temp\{CB62F02E-BD36-41CB-B9A0-0CA3769BC08D}\IsConfig.ini
| MD5 | 46f911f8d46827784b2c1cd89d223656 |
| SHA1 | dc8abe7382169891a52078d85aef81f291038073 |
| SHA256 | bc72229e6b2f86ef01c2a8801dd7d8b0125d824844d3fdaf11504d656bd6b010 |
| SHA512 | 531f8c4db964c09aba82447601318a0b045f4e17dcae6ca67037852f24044b61a11f98fa39a5ffb2d3283c12237c19e1f96b4ede736f0ddb105f0b31f5ba6079 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\setup.inx
| MD5 | 1556ee679b5d5dc4e4e6bc3800bb9937 |
| SHA1 | deb733ae33af22588762f8a60b9b11cf27dfa92b |
| SHA256 | 4f0708ca4ef3eb8e7db1eff8b490ea64cccc1ae39e039bb5050a77a507d8a14b |
| SHA512 | 7f50bcf6034bf6be613caf7f0b7c6158ce2caf52376dd817493c203b2086c42f9fe8e83f0796be6b5afefc5595686b8ab232e744ac7f0fa0f28736a54686cb4c |
\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
| MD5 | 40f3a092744e46f3531a40b917cca81e |
| SHA1 | c73f62a44cb3a75933cecf1be73a48d0d623039b |
| SHA256 | 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f |
| SHA512 | 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2 |
\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISRT.dll
| MD5 | 8af02bf8e358e11caec4f2e7884b43cc |
| SHA1 | 16badc6c610eeb08de121ab268093dd36b56bf27 |
| SHA256 | 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e |
| SHA512 | d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd |
memory/600-120-0x0000000010000000-0x0000000010114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\_isres_0x0409.dll
| MD5 | 90653dafc3399a7f229486bbabb71ce8 |
| SHA1 | 378228cdf6852b6a1ca35756557fefb33a26ca71 |
| SHA256 | d16f868f304663dd4ce9418de1eb684779b7af82eac657799809392f7b3d1d5f |
| SHA512 | efc654d5ac195d98f87630d6a1f77819068546cd75fc84167a2ad832ba5bfef6f4be19b4bc5b3e670066f6718d353ea85474c8801ae0c7e528f57e7a5d8077b8 |
memory/600-123-0x0000000002EE0000-0x00000000030A7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\String1033.txt
| MD5 | a00694e91420c6e1aa54b484121f89d7 |
| SHA1 | a930cadc76bd3593eb978f8053b325e5147a5e9d |
| SHA256 | 1a7068090c17f02c0a6eef8d45634b7485b254e6e8262082bb7399223365461f |
| SHA512 | e2a62e7f512f41081b5e7b390cc8af8775eb5f8c27a072029392ec889226894c307068df665da9a89967942a46369ca244abfa060d20ffc34e23b6ee12f11db1 |
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\_ISMSIDEL.INI
| MD5 | 2886eba5021a6711c516b35caf7d59c1 |
| SHA1 | 8f9cad82e731a7bffc029e9bdf54e5497f64b962 |
| SHA256 | 99f85da760a9e9d7425081f3c1ae93d4d86aa4b209261cd12baeac4481b1b3ef |
| SHA512 | 74e26cc78fa54815415ee5033af85cc69a7d5b70ec86a66031127e4469cb8f161dfa346ce6def0b8ce743d4a84bbf72e9b99f693cbdf7d527153e562f654fbda |
C:\Users\Admin\AppData\Local\Temp\{D149415E-32C7-4B07-A482-B855F821EBDF}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 10:04
Reported
2024-11-13 10:07
Platform
win10v2004-20241007-en
Max time kernel
113s
Max time network
137s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Indicator Removal: File Deletion
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\setup.exe
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\setup.exe /q"C:\Users\Admin\AppData\Local\Temp\setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}" /IS_temp
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="setup.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 07F9BDC2D4BED5079AF2F33921FC5EC8 C
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA8B310A-8361-4C0B-8F2E-8928C4B05F27}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D0D2BDF3-68A5-4CD3-B023-D689912CE504}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50D18CCF-3B52-433D-BE1C-D78FFB59B594}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A71F76CC-CF82-4085-8CF0-869C7A4CAF62}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70B3C671-AA47-415C-87B9-CB7A30763E18}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DB3B1DF-08D1-40C1-88BF-0978FAEE4864}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FAA27FE-A6D7-4656-AD59-88A69391C2F2}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{64696752-D4A7-46CF-B836-1F6220634FFA}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFE0DFD5-6404-48E0-979D-9CAB79A848AD}
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBF220A8-A8B6-4B56-AE02-DC041E616D90}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\_ISMSIDEL.INI
| MD5 | a241f2e8f8e545a8256fc9bfa1307f0a |
| SHA1 | 554283996ef7a173ad06388c13abd6a3ada8bb4d |
| SHA256 | c110c27962f0323c6251b473b6e57dbe6431b7d13b1b3d588cbeb83c43c649c3 |
| SHA512 | f0c169315ef28c1d5084915e21fa725eade8768f0d313be977585ccc9ecb349b1e33a6ada361d9d85079977258833a3071c6566fcd6fd42df6af7ff8d11452ff |
C:\Users\Admin\AppData\Local\Temp\~D0A0.tmp
| MD5 | a4daf3735dd2a766b3c2e8eb983b0e37 |
| SHA1 | 8e88ee22500d5d7ccf3e35427151fdd9fae1a4c4 |
| SHA256 | 608dcf6491cde1682febaba7aba655aba051fb1d575527abf588c632ee77c04b |
| SHA512 | d53573be71411478be37835dcb8114335a98102e4a37058d0b87e6bb2dfd2149b38883b521822b438178acee2ea9184f4960e15bdfd3e5daec49e2df2a21b10b |
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\setup.exe
| MD5 | 2e42e896ace4c2601e8b8586aa0b27cb |
| SHA1 | bb97f6b3f3663fc6b0ef65b8fec9cbbf9272d7dc |
| SHA256 | cdc0ead68ddaf9fd6020b06bf11574ab2b59e833c6375c19c92fe5d110cef9ad |
| SHA512 | be4f7c4d0900974c9f6410eab7da46ab8b82620832b6b29d25ed8564dcd872e643dcaec1331adaebdd011a948ad3b8b0e82daa6b928b3119a5e5c8484cbc16df |
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\issD5C1.tmp
| MD5 | 47fcf16839beb84274b014b16543156f |
| SHA1 | adf19a36ae6617fd67801d4badf4d372934bef65 |
| SHA256 | 575de84ad866ebe8bdc2adc0b8499f9f03408f1c7866f9f75df018e2a8160679 |
| SHA512 | fc5d68cf6bbd3aaecf0164137dc5c506272c7d3e440d24bf50f1b84e002c0365941a8d04b130fad0b2b4993e1c4e89dbc4327d0f0828a0d1e5552bcf47d4ef6b |
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\NuGenesis LMS 9 Data Adapters Release 4 - 6 Daylight Saving Time Hotfix.msi
| MD5 | 326a49b8c9ed1e9a18598a309ce7ed26 |
| SHA1 | 8da3571ab6bd8c4bca3c50b5094ef4437942f0b7 |
| SHA256 | 6c3e409832ace511635ef8efa17cbfc681a51a0ef957004a874cc320b1957921 |
| SHA512 | 4bef6aaac32e5a6e6e75413cce1c7c7528164a059e6151cd241e567bd8b7c971e64aa6be905f335dfb546db9438554e5ff69326d7b4219dd0c25adfc115d0753 |
C:\Users\Admin\AppData\Local\Temp\{307AF1FD-1FF1-489C-B068-DD52AD8B5AD6}\IsConfig.ini
| MD5 | 46f911f8d46827784b2c1cd89d223656 |
| SHA1 | dc8abe7382169891a52078d85aef81f291038073 |
| SHA256 | bc72229e6b2f86ef01c2a8801dd7d8b0125d824844d3fdaf11504d656bd6b010 |
| SHA512 | 531f8c4db964c09aba82447601318a0b045f4e17dcae6ca67037852f24044b61a11f98fa39a5ffb2d3283c12237c19e1f96b4ede736f0ddb105f0b31f5ba6079 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\setup.inx
| MD5 | 1556ee679b5d5dc4e4e6bc3800bb9937 |
| SHA1 | deb733ae33af22588762f8a60b9b11cf27dfa92b |
| SHA256 | 4f0708ca4ef3eb8e7db1eff8b490ea64cccc1ae39e039bb5050a77a507d8a14b |
| SHA512 | 7f50bcf6034bf6be613caf7f0b7c6158ce2caf52376dd817493c203b2086c42f9fe8e83f0796be6b5afefc5595686b8ab232e744ac7f0fa0f28736a54686cb4c |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISBEW64.exe
| MD5 | 40f3a092744e46f3531a40b917cca81e |
| SHA1 | c73f62a44cb3a75933cecf1be73a48d0d623039b |
| SHA256 | 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f |
| SHA512 | 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2 |
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\ISRT.dll
| MD5 | 8af02bf8e358e11caec4f2e7884b43cc |
| SHA1 | 16badc6c610eeb08de121ab268093dd36b56bf27 |
| SHA256 | 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e |
| SHA512 | d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd |
memory/1392-113-0x0000000010000000-0x0000000010114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\_isres_0x0409.dll
| MD5 | 90653dafc3399a7f229486bbabb71ce8 |
| SHA1 | 378228cdf6852b6a1ca35756557fefb33a26ca71 |
| SHA256 | d16f868f304663dd4ce9418de1eb684779b7af82eac657799809392f7b3d1d5f |
| SHA512 | efc654d5ac195d98f87630d6a1f77819068546cd75fc84167a2ad832ba5bfef6f4be19b4bc5b3e670066f6718d353ea85474c8801ae0c7e528f57e7a5d8077b8 |
memory/1392-117-0x0000000002F70000-0x0000000003137000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{A3AE3CF6-E93D-4F28-8658-FDDC184DEF47}\String1033.txt
| MD5 | a00694e91420c6e1aa54b484121f89d7 |
| SHA1 | a930cadc76bd3593eb978f8053b325e5147a5e9d |
| SHA256 | 1a7068090c17f02c0a6eef8d45634b7485b254e6e8262082bb7399223365461f |
| SHA512 | e2a62e7f512f41081b5e7b390cc8af8775eb5f8c27a072029392ec889226894c307068df665da9a89967942a46369ca244abfa060d20ffc34e23b6ee12f11db1 |
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\_ISMSIDEL.INI
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\{C3F45F95-EA7A-407E-87A5-CD5C43D94DD4}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |