Analysis Overview
SHA256
5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd
Threat Level: Known bad
The file aspose.msi was found to be: Known bad.
Malicious Activity Summary
Babadeda
Lumma Stealer
Babadeda Crypter
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-09-03 05:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-03 05:40
Reported
2023-09-03 05:42
Platform
win10-20230831-en
Max time kernel
15s
Max time network
25s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57a6fe.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAA5B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAB37.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAC33.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{686E95B7-50DC-4D8C-BF00-EF51C2634B42} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEF3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57a6fe.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA7B9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA9AE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAC13.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1456 wrote to memory of 4076 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 1456 wrote to memory of 4076 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 1456 wrote to memory of 4076 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 1456 wrote to memory of 4328 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 1456 wrote to memory of 4328 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 1456 wrote to memory of 4328 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5BFE299D8632B82483D08D613F62A77A
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1408
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIA7B9.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIA7B9.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA9AE.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIA9AE.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIAA5B.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIAA5B.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIAA5B.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIAB37.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIAB37.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIAC13.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIAC13.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
\Windows\Installer\MSIAC33.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIAC33.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Config.Msi\e57a701.rbs
| MD5 | b1c8d397780c69d7be0a565b12d63a09 |
| SHA1 | 8e59fef29122c5bf5e23a806d168344b769dfd3c |
| SHA256 | 10edbc281d4790c2093b0669b193c616ae44449aa5a5543b6a3a7debb1f1a9ba |
| SHA512 | ff57480fe532191e49a63a21c2697aa5650f89ab37ee93d1657c55f509ab3993d12be50b452a51d64e9314e6de91d6c7cf8c4c7eb94471db70d5bacccab50315 |
\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav
| MD5 | 88d23c6d9df3fd0481f0fc5f6f371ad1 |
| SHA1 | 4fb6f9aca5c18687d95202d17ece1fbec90f4bad |
| SHA256 | 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1 |
| SHA512 | 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0 |
\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/4328-65-0x0000000073150000-0x00000000731B2000-memory.dmp
\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/4328-66-0x0000000002C00000-0x0000000002C20000-memory.dmp
memory/4328-67-0x0000000004500000-0x0000000004563000-memory.dmp
memory/4328-72-0x0000000073150000-0x00000000731B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-03 05:40
Reported
2023-09-03 05:42
Platform
win10v2004-20230831-en
Max time kernel
34s
Max time network
62s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSID554.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID768.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID779.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{686E95B7-50DC-4D8C-BF00-EF51C2634B42} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57c0c0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57c0c0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC2B4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID35E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4B7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID9CC.tmp | C:\Windows\system32\msiexec.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 984 wrote to memory of 2372 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 984 wrote to memory of 2372 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 984 wrote to memory of 2372 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 984 wrote to memory of 3996 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 984 wrote to memory of 3996 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 984 wrote to memory of 3996 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\aspose.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 460402244A4794AC8BDA7012BE18F071
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 1536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIC2B4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIC2B4.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID35E.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID35E.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID4B7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID4B7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID4B7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID554.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID554.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID768.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID768.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID779.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSID779.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Config.Msi\e57c0c3.rbs
| MD5 | b1c8d397780c69d7be0a565b12d63a09 |
| SHA1 | 8e59fef29122c5bf5e23a806d168344b769dfd3c |
| SHA256 | 10edbc281d4790c2093b0669b193c616ae44449aa5a5543b6a3a7debb1f1a9ba |
| SHA512 | ff57480fe532191e49a63a21c2697aa5650f89ab37ee93d1657c55f509ab3993d12be50b452a51d64e9314e6de91d6c7cf8c4c7eb94471db70d5bacccab50315 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav
| MD5 | 88d23c6d9df3fd0481f0fc5f6f371ad1 |
| SHA1 | 4fb6f9aca5c18687d95202d17ece1fbec90f4bad |
| SHA256 | 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1 |
| SHA512 | 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/3996-57-0x0000000073440000-0x00000000734A2000-memory.dmp
memory/3996-58-0x0000000002A30000-0x0000000002A50000-memory.dmp
memory/3996-59-0x0000000002CF0000-0x0000000002D53000-memory.dmp
memory/3996-64-0x0000000073440000-0x00000000734A2000-memory.dmp