Analysis Overview
SHA256
5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd
Threat Level: Known bad
The file aspose.msi was found to be: Known bad.
Malicious Activity Summary
Babadeda Crypter
Lumma Stealer
Babadeda
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-08-27 22:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-27 22:37
Reported
2023-08-27 22:40
Platform
win7-20230712-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f76787a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI79C6.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7CD4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76787d.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76787a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C08.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7CF4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8493.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f76787d.ipi | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C78E12C089CF745CC1B2A463A85F0338
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
| US | 188.114.96.0:80 | gstatic-node.io | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab7457.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar74B8.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar76B1.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 500418963b8adcec3cdbfea6761a8e92 |
| SHA1 | 12d3a9def1d0e92066d5884daca3a6ae0cb58ff8 |
| SHA256 | e4f355d47d29b9ab78004bcafb5b61533e272710cc49d318982360a1471436b7 |
| SHA512 | 1baf14f4794163cdde5658e59a8a35214a1eabbe38ad5bff680e2ce1a2cdc18fafbb5e2fb366a5087e90ded201ba828a0e891ee5fb7da4eec9361a7b130ee0c8 |
C:\Windows\Installer\MSI79C6.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSI79C6.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI7C08.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSI7C08.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI7CD4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI7CD4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSI7CD4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI7CF4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSI7CF4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Config.Msi\f76787e.rbs
| MD5 | 4ebec19839640d6b67047a00afdb7291 |
| SHA1 | 9cd8081c8cd212220770a86f00f6f85210b7d82e |
| SHA256 | a58edb7aff177e24949e3fa79b233c14bacb87cb7e8b490503ee19572a6271f2 |
| SHA512 | ece843ece697ad1aa9b47b7e664b9b0adc194c2b63961b682152b2d32dfa74d1fb22b24f91a218c2c26edbc90aad9d0510eaa60ed280fa7acd113674a31c930f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav
| MD5 | 88d23c6d9df3fd0481f0fc5f6f371ad1 |
| SHA1 | 4fb6f9aca5c18687d95202d17ece1fbec90f4bad |
| SHA256 | 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1 |
| SHA512 | 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/1632-119-0x0000000074710000-0x0000000074772000-memory.dmp
memory/1632-121-0x0000000003630000-0x0000000003693000-memory.dmp
memory/1632-120-0x00000000003C0000-0x00000000003E0000-memory.dmp
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
memory/1632-127-0x0000000074710000-0x0000000074772000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-27 22:37
Reported
2023-08-27 22:40
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e578378.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8771.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{686E95B7-50DC-4D8C-BF00-EF51C2634B42} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e578378.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8472.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI885C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI88AB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A23.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A34.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8BDB.tmp | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3000 wrote to memory of 5028 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 3000 wrote to memory of 5028 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 3000 wrote to memory of 5028 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 3000 wrote to memory of 1484 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 3000 wrote to memory of 1484 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 3000 wrote to memory of 1484 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D7E7ECE44A1A35CEB379E6677D7314BE
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1484 -ip 1484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1556
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 172.67.204.199:80 | gstatic-node.io | tcp |
| US | 172.67.204.199:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 199.204.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI8472.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8472.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8771.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8771.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI885C.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI885C.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI885C.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI88AB.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI88AB.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8A23.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8A23.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8A34.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI8A34.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Config.Msi\e57837b.rbs
| MD5 | 138a5dab36ab3c48df87c8d70765ffe2 |
| SHA1 | 4fc02888041a8ef711b4bfd46d81e93beeb3181a |
| SHA256 | af0213efe23e22dfe32d754e7ffc1d302d61f82b97a436b4cfd78216967a2e58 |
| SHA512 | 2f1923e3fc22e9c88876af2052456b4664a0c134c1ef7bf1512fb027d7a5e71d9f55a41d34986b05f3297b7a87668041098ddf7a014db71b1b5ca01d71d1a25a |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav
| MD5 | 88d23c6d9df3fd0481f0fc5f6f371ad1 |
| SHA1 | 4fb6f9aca5c18687d95202d17ece1fbec90f4bad |
| SHA256 | 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1 |
| SHA512 | 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/1484-59-0x0000000073880000-0x00000000738E2000-memory.dmp
memory/1484-60-0x0000000002A30000-0x0000000002A50000-memory.dmp
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
memory/1484-61-0x00000000048F0000-0x0000000004953000-memory.dmp
memory/1484-66-0x0000000073880000-0x00000000738E2000-memory.dmp