9f0ab558d73abbd9883c32a3eb93240a38b63aa97f5021a63da8602c39fe72ab

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-en
submitted
16-09-2021 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi

Score

8^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

6 1664 msiexec.exe
8 1664 msiexec.exe
10 1664 msiexec.exe
Executes dropped EXE 2 IoCs

Processes:

MSIB4D.tmpMSIB4D.tmp

pid process

1168 MSIB4D.tmp
740 MSIB4D.tmp

flow	pid	process
6	1664	msiexec.exe
8	1664	msiexec.exe
10	1664	msiexec.exe

pid	process
1168	MSIB4D.tmp
740	MSIB4D.tmp

Loads dropped DLL 14 IoCs

Processes:

MsiExec.exeMSIB4D.tmpMSIB4D.tmpMsiExec.exe

pid	process
280	MsiExec.exe
1168	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
740	MSIB4D.tmp
280	MsiExec.exe
1528	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exeMsiExec.exe

pid process

1536 powershell.exe
1528 MsiExec.exe

pid	process
1536	powershell.exe
1528	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	1056	msiexec.exe
Token: SeTakeOwnershipPrivilege	1056	msiexec.exe
Token: SeSecurityPrivilege	1056	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1664	msiexec.exe
Token: SeLockMemoryPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeMachineAccountPrivilege	1664	msiexec.exe
Token: SeTcbPrivilege	1664	msiexec.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: SeTakeOwnershipPrivilege	1664	msiexec.exe
Token: SeLoadDriverPrivilege	1664	msiexec.exe
Token: SeSystemProfilePrivilege	1664	msiexec.exe
Token: SeSystemtimePrivilege	1664	msiexec.exe
Token: SeProfSingleProcessPrivilege	1664	msiexec.exe
Token: SeIncBasePriorityPrivilege	1664	msiexec.exe
Token: SeCreatePagefilePrivilege	1664	msiexec.exe
Token: SeCreatePermanentPrivilege	1664	msiexec.exe
Token: SeBackupPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	1664	msiexec.exe
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeDebugPrivilege	1664	msiexec.exe
Token: SeAuditPrivilege	1664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1664	msiexec.exe
Token: SeChangeNotifyPrivilege	1664	msiexec.exe
Token: SeRemoteShutdownPrivilege	1664	msiexec.exe
Token: SeUndockPrivilege	1664	msiexec.exe
Token: SeSyncAgentPrivilege	1664	msiexec.exe
Token: SeEnableDelegationPrivilege	1664	msiexec.exe
Token: SeManageVolumePrivilege	1664	msiexec.exe
Token: SeImpersonatePrivilege	1664	msiexec.exe
Token: SeCreateGlobalPrivilege	1664	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1664	msiexec.exe
Token: SeLockMemoryPrivilege	1664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1664	msiexec.exe
Token: SeMachineAccountPrivilege	1664	msiexec.exe
Token: SeTcbPrivilege	1664	msiexec.exe
Token: SeSecurityPrivilege	1664	msiexec.exe
Token: SeTakeOwnershipPrivilege	1664	msiexec.exe
Token: SeLoadDriverPrivilege	1664	msiexec.exe
Token: SeSystemProfilePrivilege	1664	msiexec.exe
Token: SeSystemtimePrivilege	1664	msiexec.exe
Token: SeProfSingleProcessPrivilege	1664	msiexec.exe
Token: SeIncBasePriorityPrivilege	1664	msiexec.exe
Token: SeCreatePagefilePrivilege	1664	msiexec.exe
Token: SeCreatePermanentPrivilege	1664	msiexec.exe
Token: SeBackupPrivilege	1664	msiexec.exe
Token: SeRestorePrivilege	1664	msiexec.exe
Token: SeShutdownPrivilege	1664	msiexec.exe
Token: SeDebugPrivilege	1664	msiexec.exe
Token: SeAuditPrivilege	1664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1664	msiexec.exe
Token: SeChangeNotifyPrivilege	1664	msiexec.exe
Token: SeRemoteShutdownPrivilege	1664	msiexec.exe
Token: SeUndockPrivilege	1664	msiexec.exe
Token: SeSyncAgentPrivilege	1664	msiexec.exe
Token: SeEnableDelegationPrivilege	1664	msiexec.exe
Token: SeManageVolumePrivilege	1664	msiexec.exe
Token: SeImpersonatePrivilege	1664	msiexec.exe
Token: SeCreateGlobalPrivilege	1664	msiexec.exe
Token: SeCreateTokenPrivilege	1664	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1664 msiexec.exe

pid	process
1664	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

msiexec.exemsiexec.exeMsiExec.exeMSIB4D.tmp

description	pid	process	target process
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1664 wrote to memory of 1168	1664	msiexec.exe	MSIB4D.tmp
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 280	1056	msiexec.exe	MsiExec.exe
PID 280 wrote to memory of 1536	280	MsiExec.exe	powershell.exe
PID 280 wrote to memory of 1536	280	MsiExec.exe	powershell.exe
PID 280 wrote to memory of 1536	280	MsiExec.exe	powershell.exe
PID 280 wrote to memory of 1536	280	MsiExec.exe	powershell.exe
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1168 wrote to memory of 740	1168	MSIB4D.tmp	MSIB4D.tmp
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1528	1056	msiexec.exe	MsiExec.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\MSIB4D.tmp
"C:\Users\Admin\AppData\Local\Temp\MSIB4D.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\Temp\{9330B33E-C4F4-4EB7-BE46-A38BBABB97B4}\.cr\MSIB4D.tmp
"C:\Windows\Temp\{9330B33E-C4F4-4EB7-BE46-A38BBABB97B4}\.cr\MSIB4D.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\MSIB4D.tmp" -burn.filehandle.attached=180 -burn.filehandle.self=188
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 248C6E470E52325EC753F515D0A4DF24 C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD9B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD88.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD89.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD8A.txt" -propSep " :<->: " -testPrefix "_testValue."
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 86221C29895F63FC0F56F1DD5CEDA8C1 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1528

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI19B0.tmp
MD5
55bd68162716cc435eb221b048567e73

SHA1
3e9ef3823a6ecb7ca7942a332e400ec3adb8c2bb

SHA256
76bb62394bef8acf9021f8e94219430515cb2734805e29684044a0a4a802469c

SHA512
f371443c8577cf55dd4e76c4fb5d90dff4bcc3e839b7c31183d5db0d4586d105237a8d3a34ed68b0bf64c90dfd99fe64ceac57b91a0ac7835d34ad574f4ccc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1A8C.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB4D.tmp
MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB4D.tmp
MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB5D.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssD9B.ps1
MD5
0c95bc11cfca37f84a19de0529377e13

SHA1
41f409dbbab04ef35c4f6489af6f85fceb9c501a

SHA256
88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

SHA512
8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrD89.ps1
MD5
6a251db4fad4a2248b0cc2e74461b07c

SHA1
190aab8b9badd7a4fc75a1b925f0e1135af44230

SHA256
e34af1b6edf33b155ca9854d084577c30e1bc9d96eee10014277a0e55a47beef

SHA512
b37ba8374dc9acf92520142e0c71f48c1fc94199ef85749d08d0b9e0367f78719dc1ce3786b05a2068bc79cf76df3283a8e38e1f06f6185516adfd6e43796b13

Download Submit
C:\Windows\Temp\{9330B33E-C4F4-4EB7-BE46-A38BBABB97B4}\.cr\MSIB4D.tmp
MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
C:\Windows\Temp\{9330B33E-C4F4-4EB7-BE46-A38BBABB97B4}\.cr\MSIB4D.tmp
MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
\Users\Admin\AppData\Local\Temp\MSI19B0.tmp
MD5
55bd68162716cc435eb221b048567e73

SHA1
3e9ef3823a6ecb7ca7942a332e400ec3adb8c2bb

SHA256
76bb62394bef8acf9021f8e94219430515cb2734805e29684044a0a4a802469c

SHA512
f371443c8577cf55dd4e76c4fb5d90dff4bcc3e839b7c31183d5db0d4586d105237a8d3a34ed68b0bf64c90dfd99fe64ceac57b91a0ac7835d34ad574f4ccc87

Download Submit
\Users\Admin\AppData\Local\Temp\MSI1A8C.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB5D.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\BootstrapperCore.dll
MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\BootstrapperCore.dll
MD5
c4f7146ddc56763ccdb1cb3c09478708

SHA1
bca088ab33cfb69adeae11a272e9c8a83f39a8c9

SHA256
886cb2a994461f091752fc7b21e3143c212efd8841c757909e74ac32761880da

SHA512
df2ca029e95f80fc5870e541db8b1d5a03266307bb5f7680ad630868a9a3c584b3a702fbec09c26fef7287c99f5d9d1f59cd59b74dcf740c9a8e7508e07d18b5

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\GalaSoft.MvvmLight.WPF4.dll
MD5
1e40431b501d55fe8ba59cabb3ce5c17

SHA1
b8aef0f6829345d844960c3eaf96c41f76142f6c

SHA256
92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

SHA512
2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\GalaSoft.MvvmLight.WPF4.dll
MD5
1e40431b501d55fe8ba59cabb3ce5c17

SHA1
b8aef0f6829345d844960c3eaf96c41f76142f6c

SHA256
92ef1bdf8c8140e34e5ae1eb8d9b7afba9921e5ada6317c6cdd0da2712f7e000

SHA512
2ab5d887e717add46959a7193cbf1dbf73f2792130025e5712ae76058ce5923be8afdf3ed8d11ea6859b13126f88bb9e1099741c799ca90e3f7713955dd9638d

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\NitroBA.dll
MD5
6726d4b46346ef40dd3ea4376ae7d259

SHA1
ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

SHA256
3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

SHA512
cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\NitroBA.dll
MD5
6726d4b46346ef40dd3ea4376ae7d259

SHA1
ffdaa10e1e3d1c7d7411f799a0889ce66014bc29

SHA256
3e96b189fa7a160396742cdc93564dfce3ad3993a3e21118cf9114c8cb45e963

SHA512
cd2a68f1ce4bc161b26466fa8f472803d7a10b339dff6c599e64863236ef59d9a0ed1b2f4168f8557b35d81d92edccdfd9d313096a88415838b6351af1ae249a

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\PageTransitions.dll
MD5
ad69d408b05b98180b25d23b0a790f01

SHA1
5fdbdae2979685db500d2b031e2a430ce16e592e

SHA256
14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

SHA512
12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\PageTransitions.dll
MD5
ad69d408b05b98180b25d23b0a790f01

SHA1
5fdbdae2979685db500d2b031e2a430ce16e592e

SHA256
14090b63240c63bfe118a24b6f0112095f331ac46819f6f4ab62d8e9bbe4c646

SHA512
12323f7190fd785277965996cffe141a5b2d5b11679961db6aa6744b8157df7f9bd7b5b935d3ca2a7e0be7ca5f0f60fd8885b94ae7cd70aea1572e90a2599eac

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\mbahost.dll
MD5
d7c697ceb6f40ce91dabfcbe8df08e22

SHA1
49cd0213a1655dcdb493668083ab2d7f55135381

SHA256
b925d9d3e1e2c49bf05a1b0713e2750ee6e0c43c7adc9d3c3a1b9fb8c557c3df

SHA512
22ca87979ca68f10b5fda64c27913d0f2a12c359b04e4a6caa3645303fbd47cd598c805fd9a43c8f3e0934e9d2db85f7a4e1eff26cb33d233efc05ee2613cfc1

Download Submit
\Windows\Temp\{8ABB6156-8115-457A-923E-72CDCFB9C150}\.ba\metrics.dll
MD5
aed8280e90f672f631d2aedebd6452bf

SHA1
390b96ce6b4b1a47c12d8932c5e8da6e51fdd38a

SHA256
a82332e0a9c9cee34f9a46d5e984901fa57a011f54e7b37b9716acf834746ced

SHA512
23a223fc4da00038ff6b584f0a2a4186f49eaf4d8cb28dfdfa795048a4a977aa39848cb83bbfd8f0555412fd04c802b122267266e33a5ddc49d3e0ff1e2eca4f

Download Submit
\Windows\Temp\{9330B33E-C4F4-4EB7-BE46-A38BBABB97B4}\.cr\MSIB4D.tmp
MD5
044a5d8e2f1356de889aedb11fdcc679

SHA1
4e8416eb12d209509d49998ebe714612709eb4d6

SHA256
e4492ccb97078cc32ee4437404ce04f4404884800a81fb34243d0a64936f82d7

SHA512
3cb6beaf46ec6ca3aa5a645b51b1df7a26826d8e65eb8f6cd1be63488f7a372c1e7e266f2950489a3ae8b3c6ca60d72f25504e4942e096c5c2045177557c79b9

Download Submit
memory/280-55-0x0000000000000000-mapping.dmp

Download
memory/740-86-0x0000000002F43000-0x0000000002F44000-memory.dmp

Filesize
4KB

Download
memory/740-96-0x0000000002F44000-0x0000000002F45000-memory.dmp

Filesize
4KB

Download
memory/740-85-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/740-77-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/740-64-0x0000000000000000-mapping.dmp

Download
memory/740-91-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/740-74-0x0000000002F41000-0x0000000002F42000-memory.dmp

Filesize
4KB

Download
memory/740-81-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/740-72-0x0000000002F40000-0x0000000002F41000-memory.dmp

Filesize
4KB

Download
memory/740-97-0x0000000002F49000-0x0000000002F5A000-memory.dmp

Filesize
68KB

Download
memory/1168-54-0x0000000000000000-mapping.dmp

Download
memory/1168-57-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1528-98-0x0000000000000000-mapping.dmp

Download
memory/1536-73-0x0000000002242000-0x0000000002244000-memory.dmp

Filesize
8KB

Download
memory/1536-71-0x0000000002241000-0x0000000002242000-memory.dmp

Filesize
4KB

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1536-70-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1664-52-0x000007FEFB591000-0x000007FEFB593000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads