Malware Analysis Report

2024-09-22 16:39

Sample ID 230827-2j646afe7y
Target aspose.msi
SHA256 5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd
Tags
babadeda lumma crypter loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd

Threat Level: Known bad

The file aspose.msi was found to be: Known bad.

Malicious Activity Summary

babadeda lumma crypter loader stealer

Babadeda Crypter

Lumma Stealer

Babadeda

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-08-27 22:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-27 22:37

Reported

2023-08-27 22:40

Platform

win7-20230712-en

Max time kernel

119s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76787a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI79C6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7CD4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76787d.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76787a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C08.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7CF4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8493.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76787d.ipi C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C78E12C089CF745CC1B2A463A85F0338

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7457.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar74B8.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar76B1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 500418963b8adcec3cdbfea6761a8e92
SHA1 12d3a9def1d0e92066d5884daca3a6ae0cb58ff8
SHA256 e4f355d47d29b9ab78004bcafb5b61533e272710cc49d318982360a1471436b7
SHA512 1baf14f4794163cdde5658e59a8a35214a1eabbe38ad5bff680e2ce1a2cdc18fafbb5e2fb366a5087e90ded201ba828a0e891ee5fb7da4eec9361a7b130ee0c8

C:\Windows\Installer\MSI79C6.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

\Windows\Installer\MSI79C6.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI7C08.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

\Windows\Installer\MSI7C08.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI7CD4.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI7CD4.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

\Windows\Installer\MSI7CD4.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI7CF4.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

\Windows\Installer\MSI7CF4.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Config.Msi\f76787e.rbs

MD5 4ebec19839640d6b67047a00afdb7291
SHA1 9cd8081c8cd212220770a86f00f6f85210b7d82e
SHA256 a58edb7aff177e24949e3fa79b233c14bacb87cb7e8b490503ee19572a6271f2
SHA512 ece843ece697ad1aa9b47b7e664b9b0adc194c2b63961b682152b2d32dfa74d1fb22b24f91a218c2c26edbc90aad9d0510eaa60ed280fa7acd113674a31c930f

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav

MD5 88d23c6d9df3fd0481f0fc5f6f371ad1
SHA1 4fb6f9aca5c18687d95202d17ece1fbec90f4bad
SHA256 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1
SHA512 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

memory/1632-119-0x0000000074710000-0x0000000074772000-memory.dmp

memory/1632-121-0x0000000003630000-0x0000000003693000-memory.dmp

memory/1632-120-0x00000000003C0000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

memory/1632-127-0x0000000074710000-0x0000000074772000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-27 22:37

Reported

2023-08-27 22:40

Platform

win10v2004-20230703-en

Max time kernel

142s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e578378.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8771.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{686E95B7-50DC-4D8C-BF00-EF51C2634B42} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e578378.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8472.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI885C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88AB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A23.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A34.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8BDB.tmp C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D7E7ECE44A1A35CEB379E6677D7314BE

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1484 -ip 1484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1556

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 gstatic-node.io udp
US 172.67.204.199:80 gstatic-node.io tcp
US 172.67.204.199:80 gstatic-node.io tcp
US 8.8.8.8:53 199.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Windows\Installer\MSI8472.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8472.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8771.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8771.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI885C.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI885C.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI885C.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI88AB.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI88AB.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8A23.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8A23.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8A34.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Windows\Installer\MSI8A34.tmp

MD5 a9941233b9415b479d3b4f3732161eab
SHA1 cb2d99af52b3b1c712943b13e45d85c80c732e57
SHA256 ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2
SHA512 cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe

MD5 700f45b97576c03feb6e7f82f34f92a5
SHA1 c6d4639261874019aab3d1edecebf827652b4dd4
SHA256 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace
SHA512 c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

C:\Config.Msi\e57837b.rbs

MD5 138a5dab36ab3c48df87c8d70765ffe2
SHA1 4fc02888041a8ef711b4bfd46d81e93beeb3181a
SHA256 af0213efe23e22dfe32d754e7ffc1d302d61f82b97a436b4cfd78216967a2e58
SHA512 2f1923e3fc22e9c88876af2052456b4664a0c134c1ef7bf1512fb027d7a5e71d9f55a41d34986b05f3297b7a87668041098ddf7a014db71b1b5ca01d71d1a25a

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll

MD5 dd3d067c139254d741a8b4f3a8af216e
SHA1 dddbb19996620ddfd9e9625f4c502356efed2c25
SHA256 e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57
SHA512 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll

MD5 868a85db64eb92a821e6928a9e161270
SHA1 b853cff977b4e5c80463e7c94287332b28e47537
SHA256 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64
SHA512 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav

MD5 88d23c6d9df3fd0481f0fc5f6f371ad1
SHA1 4fb6f9aca5c18687d95202d17ece1fbec90f4bad
SHA256 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1
SHA512 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

memory/1484-59-0x0000000073880000-0x00000000738E2000-memory.dmp

memory/1484-60-0x0000000002A30000-0x0000000002A50000-memory.dmp

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll

MD5 8acc93a5e7f034341465e19ca8153ec9
SHA1 f4192443c09167756dfe7c887626feeac1407265
SHA256 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7
SHA512 e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637

C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll

MD5 0f849bc43ffe1bb5f29aac19f11f6740
SHA1 2bb74d7772c4b7cae2571e5751914e267b482002
SHA256 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860
SHA512 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675

memory/1484-61-0x00000000048F0000-0x0000000004953000-memory.dmp

memory/1484-66-0x0000000073880000-0x00000000738E2000-memory.dmp