7b248e7cb7eda9cb1639260a4d8a83e32c9f398c80d64d71922ccaf730a3dddd

Analysis

max time kernel
98s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MAXQDA24_Setup (1).msi
Size

375.0MB
MD5

11d8956afe36cefadfdeace4cc17326a
SHA1

5b0505b3d371710867bad82e12f6add9169303a6
SHA256

7b248e7cb7eda9cb1639260a4d8a83e32c9f398c80d64d71922ccaf730a3dddd
SHA512

f72293a22f831154f1591f779a2de6432af45d9368c70fb92b7758c4431e0e3d7e30a039f87d1fe1ce05710993b40aa07facc57cf8a9f7d516b05182de743f39
SSDEEP

6291456:OSC5MXpntxbeRwAQiRME+iEYl/P3co+HC2dfezUKirtsYSrJeZfvf+k3O/u89kvU:pC5M5nLb9AOrUVco+zdHKcts/rcfvfbg

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exemsiexec.exe

pid process

2944 MsiExec.exe
2496 MsiExec.exe
2496 MsiExec.exe
2496 MsiExec.exe
2524 MsiExec.exe
2524 MsiExec.exe
2524 MsiExec.exe
2024 msiexec.exe
2024 msiexec.exe
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exemsiexec.exe

flow pid process

3 1708 msiexec.exe
5 1708 msiexec.exe
7 2024 msiexec.exe

pid	process
2944	MsiExec.exe
2496	MsiExec.exe
2496	MsiExec.exe
2496	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2524	MsiExec.exe
2024	msiexec.exe
2024	msiexec.exe

flow	pid	process
3	1708	msiexec.exe
5	1708	msiexec.exe
7	2024	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\MAXQDA24\imageformats\qtiff.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\RtfConverter\Qt5Core.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\JPN\Teresa.rtf	msiexec.exe
File created	C:\Program Files\MAXQDA24\qtbase_it.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\MxConv.exe	msiexec.exe
File created	C:\Program Files\MAXQDA24\concrt140.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\Mecab\ipadic_win\dicrc	msiexec.exe
File created	C:\Program Files\MAXQDA24\Manuals\ENG\preprocessor_eng.rtf	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\qtbase_es.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\CHIN\Audio.mp3	msiexec.exe
File created	C:\Program Files\MAXQDA24\COPYING	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-core-processthreads-l1-1-2.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qt_ja.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Qt6QmlModels.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\bn.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qt_lv.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\th.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\it.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\sqlite3.exe	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\vi.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\tls\qcertonlybackend.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\ENG\Interview with Mai.mp4	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\SentimentScore\en\negations.txt	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\am.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\imageformats\qsvg.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\ENG\Work Life Balance.mx24	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\MAXQDA_RTF_HTML_Converter.exe	msiexec.exe
File created	C:\Program Files\MAXQDA24\strings.data	msiexec.exe
File created	C:\Program Files\MAXQDA24\SplashScreen.bin	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\SentimentScore\de\modal_verbs.txt	msiexec.exe
File created	C:\Program Files\MAXQDA24\msvcp140_1.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\es-419.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\JPN\Joanna.rtf	msiexec.exe
File created	C:\Program Files\MAXQDA24\VBIDEApi.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\sl.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\SpellDictionary\en_GB.txt	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qt_da.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\dbghelp.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Qt6SerialPort.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\mfc140.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\ms.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\pdfium.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qt_ca.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\Mecab\ipadic_win\unk.def	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\ca.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\Manuals\ENG\risimp_eng.rtf	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Qt6Qml.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\ENG\Interview-11-Mateo.mp3	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-core-heap-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\qtwebengine_resources_200p.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qtwebengine_locales\el.pak	msiexec.exe
File created	C:\Program Files\MAXQDA24\translations\qt_uk.qm	msiexec.exe
File created	C:\Program Files\MAXQDA24\icuuc51.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\PortableList.ini	msiexec.exe
File created	C:\Program Files\MAXQDA24\Examples\GER\Beispielvideo.mp4	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\QTT_DOCX_Formats.ini	msiexec.exe
File created	C:\Program Files\MAXQDA24\resources\Template.docx	msiexec.exe
File created	C:\Program Files\MAXQDA24\position\qtposition_positionpoll.dll	msiexec.exe
File created	C:\Program Files\MAXQDA24\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 21 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\DocumentIco	msiexec.exe
File created	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\ExchangeIco	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77be9e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC996.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\DocumentTeamCloudIco	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID24F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\MaxqdaIcon	msiexec.exe
File created	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\UninstallIcon	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f77be9e.msi	msiexec.exe
File created	C:\Windows\Installer\f77be9f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID164.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\UninstallIcon	msiexec.exe
File created	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\DocumentIco	msiexec.exe
File created	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\MaxqdaIcon	msiexec.exe
File created	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\DocumentTeamCloudIco	msiexec.exe
File opened for modification	C:\Windows\Installer\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\ExchangeIco	msiexec.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

DrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\SupportedTypes\.mex	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mx24\Extension = ".mx24"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\shell\open\command\ = "\"C:\\Program Files\\MAXQDA24\\MAXQDA24.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\DefaultIcon\ = "C:\\Windows\\Installer\\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\\ExchangeIco,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\OpenWithList\MAXQDA24.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\OpenWithList\MAXQDA24.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\FriendlyTypeName = "MAXQDA 24 Project"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mc24	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\shell\open\FriendlyAppName = "MAXQDA 24"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\MAXQDA.mx24file\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mc24\Content Type = "application/mc24"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\OpenWithList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\shell\open\command\ = "\"C:\\Program Files\\MAXQDA24\\MAXQDA24.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\ = "MAXQDA.mex24file"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mex\Extension = ".mex24"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\ = "MAXQDA Exchange File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\MAXQDA.mex24file	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\DefaultIcon\ = "C:\\Windows\\Installer\\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\\DocumentIco,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\DefaultIcon\ = "C:\\Windows\\Installer\\{187ECAAA-38B5-4EAA-B2B7-5031A69059A2}\\DocumentTeamCloudIco,0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mx24	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\Content Type = "application/mx24"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mc24\MAXQDA.mc24file	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\ = "MAXQDA 24 Project"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mex	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\SupportedTypes	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\MAXQDA.mx24file	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\shell\open\command\ = "\"C:\\Program Files\\MAXQDA24\\MAXQDA24.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mc24	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\SupportedTypes\.mx24	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\shell\open\command\ = "\"C:\\Program Files\\MAXQDA24\\MAXQDA24.exe\" \"%1\""	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\shell\open\command\command = 30005f00330073002a00650041002600400041006a0046003800710033005b005a00360033005d00500072006f00640075006300740046006500610074007500720065003e0047006c0062005400500059004f0070005300400050007a0057005500440034005f003500640062002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mc24\ = "MAXQDA.mc24file"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\MAXQDA.mex24file\ShellNew	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\OpenWithList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mc24\MAXQDA.mc24file\ShellNew	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\shell\open\command\command = 30005f00330073002a00650041002600400041006a0046003800710033005b005a00360033005d00500072006f00640075006300740046006500610074007500720065003e0047006c0062005400500059004f0070005300400050007a0057005500440034005f003500640062002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mex24\Content Type = "application/mex"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\shell\open	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/mc24\Extension = ".mc24"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\MAXQDA24.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mx24\ = "MAXQDA.mx24file"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mc24file\ = "MAXQDA 24 Project"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mex24file\FriendlyTypeName = "MAXQDA Exchange File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\shell\open\command	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MAXQDA.mx24file\shell\open\command\command = 30005f00330073002a00650041002600400041006a0046003800710033005b005a00360033005d00500072006f00640075006300740046006500610074007500720065003e0047006c0062005400500059004f0070005300400050007a0057005500440034005f003500640062002000220025003100220000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MsiExec.exemsiexec.exeMsiExec.exe

pid process

2496 MsiExec.exe
2024 msiexec.exe
2024 msiexec.exe
2524 MsiExec.exe

pid	process
2496	MsiExec.exe
2024	msiexec.exe
2024	msiexec.exe
2524	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	2024	msiexec.exe
Token: SeTakeOwnershipPrivilege	2024	msiexec.exe
Token: SeSecurityPrivilege	2024	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1708	msiexec.exe
Token: SeLockMemoryPrivilege	1708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1708	msiexec.exe
Token: SeMachineAccountPrivilege	1708	msiexec.exe
Token: SeTcbPrivilege	1708	msiexec.exe
Token: SeSecurityPrivilege	1708	msiexec.exe
Token: SeTakeOwnershipPrivilege	1708	msiexec.exe
Token: SeLoadDriverPrivilege	1708	msiexec.exe
Token: SeSystemProfilePrivilege	1708	msiexec.exe
Token: SeSystemtimePrivilege	1708	msiexec.exe
Token: SeProfSingleProcessPrivilege	1708	msiexec.exe
Token: SeIncBasePriorityPrivilege	1708	msiexec.exe
Token: SeCreatePagefilePrivilege	1708	msiexec.exe
Token: SeCreatePermanentPrivilege	1708	msiexec.exe
Token: SeBackupPrivilege	1708	msiexec.exe
Token: SeRestorePrivilege	1708	msiexec.exe
Token: SeShutdownPrivilege	1708	msiexec.exe
Token: SeDebugPrivilege	1708	msiexec.exe
Token: SeAuditPrivilege	1708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1708	msiexec.exe
Token: SeChangeNotifyPrivilege	1708	msiexec.exe
Token: SeRemoteShutdownPrivilege	1708	msiexec.exe
Token: SeUndockPrivilege	1708	msiexec.exe
Token: SeSyncAgentPrivilege	1708	msiexec.exe
Token: SeEnableDelegationPrivilege	1708	msiexec.exe
Token: SeManageVolumePrivilege	1708	msiexec.exe
Token: SeImpersonatePrivilege	1708	msiexec.exe
Token: SeCreateGlobalPrivilege	1708	msiexec.exe
Token: SeCreateTokenPrivilege	1708	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1708 msiexec.exe

pid	process
1708	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2944	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2496	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2496	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2496	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2496	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2496	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2524	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2524	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2524	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2524	2024	msiexec.exe	MsiExec.exe
PID 2024 wrote to memory of 2524	2024	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\MAXQDA24_Setup (1).msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1708

C:\Program Files\MAXQDA24\MAXQDA24.EXE
"C:\Program Files\MAXQDA24\MAXQDA24.EXE"
2⤵
PID:2692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5753A1A3565989DCC424C0CED48CAD18 C
2⤵
- Loads dropped DLL
PID:2944

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 2EF1FC27BDA4DDA0DB4CA70515EE6329 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2496

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 240531032799C1A743C96E524B85B6B7
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2372

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "00000000000002AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2772

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f77bea0.rbs
Filesize
87KB

MD5
e6e96050b701cbdbcd867a0420c1099d

SHA1
64b8b397c4a45143f3d4dbb5f6825416de342cb8

SHA256
eddeda85b35ff394b048c0815e814592dc42a25afc11cbafc4edb900e000a6f1

SHA512
f2b384a301fc67fa983e5d641c3860e0aa883c5ce0e44efb9d7d322e954108be48d1728c5f3da92a1192835901f8662e1c272cd2742e17a4cbe0f7440f76767e

Download Submit
C:\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
3.4MB

MD5
3ae75d78c4c3a18f280743b3e9f4c498

SHA1
ccb7d37fe309e11408d334c7599d3e1d62ff0fbb

SHA256
e62cbce5cced4678e0de31616a627d6ed47f4e37b74309be1487bf8a85535007

SHA512
5547c61c9c35abf86ebd8a15cab04f70f712ebb45eb8ac54f60c22f4b053c3a3f0b60d26d5cfdfe61ecf0c5cbaaa4bc16b880feb592aa4b5b1d4954980f2e82d

Download Submit
C:\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
470KB

MD5
662108ee662932bd7667ec0f46c592a6

SHA1
bcdbf255f4f8a6d6997f90ab31d2b4815710bd46

SHA256
149eff9aabde21e359b7aedfbdfd88617f998164e4f0632470a46f78ee1dedbc

SHA512
1d0469c0b5d5df45470b217f841aca650e8e3c8bbfaae5d67b4122a2426fc165b0080c68df387d3772ecff423a1e8961f8aa9e31c570dbfb052ad19c81d7cdc4

Download Submit
C:\Program Files\MAXQDA24\Qt6Core.dll
Filesize
332KB

MD5
5c839c1a83df3b4d6c8feda72dfca81f

SHA1
acfede9a00a94c206acdb7c8dc7c84b36f0bbf0b

SHA256
c4f05e4800e725c9683b5cf09b3a02c4a55f66cc37c1f44fdd1d0dfd56a37a1b

SHA512
ac71be690e9b3669ab7be0c1a4eef4fed59c5489d1f5e40ee96fbd47508e725f29ba6dfa6f1db684bc4c0f14014cd0fb586cabca360cf89b91fe73e8ee7ef697

Download Submit
C:\Program Files\MAXQDA24\Qt6Core5Compat.dll
Filesize
256KB

MD5
d274f9a4dd1c061f42771a1be48ffae6

SHA1
9107b08bee6a41ad8655b90a3f56adb94fd1bd91

SHA256
d351bf3a6af8d096e3c7be4416361209a3b90e2f93385b07e6cd41449f7f41f1

SHA512
0547800e0534bf47249c9ac4d6007c019403525369eb2eff39b00593b58b9adb2e326a2b13d82fbb9b926f33cf7c589d29218930650509ce9a5d947567310ced

Download Submit
C:\Program Files\MAXQDA24\fsdk_win64.dll
Filesize
682KB

MD5
81011821c6a08c943332e4a5f9fa39fb

SHA1
8c439ef30a7c5f29af78599fe1abf20f34d33593

SHA256
480d6f79529a3635a4be7b126b2bc25d0514d18493d62fe35f63cc639e4ac09c

SHA512
6e49694114480618e2c3116d11c3f339eb5ef584f081a7dfdc05a0a1cc3fb3dea0b76aec810a0e6e134304e0693eceac9ca27fa953180656d401ff2be66b7cc1

Download Submit
C:\Program Files\MAXQDA24\libmecab.dll
Filesize
897KB

MD5
d1cd43229bbe231d7c087f6318108ec2

SHA1
bca7b218e5183f51874f369df91660e07c080661

SHA256
4ca950caaf176b5dc75e527596e87a1df22d07b042bf9f8a2f2983825b35c093

SHA512
69889ef4d10b5a8259584b6ca2a63dbdbf05f53aa9ba911fa31749d3f27166a40ef1fee1279032a3e61622aa135374f3e747b32ecbef6424f2a63ffa51c8ce7e

Download Submit
C:\Program Files\MAXQDA24\libxl.dll
Filesize
1.0MB

MD5
93bdd107d9de79c7df93aded711f9c29

SHA1
6d7102ffabca53a038f0c8d39db8b9447d52c51e

SHA256
34ba78de92d295408c2bc5e04aa2204cb289f26fc42826b17e5ca08cc5a1af98

SHA512
98dce60118cf34abb1f3d24e65a97cb9f117c33d1cae79ff319d7ba4efe9c338e0d9cc77f0a065500264ed2d97fbd06e1a24e3dd26d95680e730465231038834

Download Submit
C:\Program Files\MAXQDA24\quazip.dll
Filesize
180KB

MD5
72b803754229297eb0bd39c3d5e4ead7

SHA1
d6d7851c08f837c130e25ef9266a95ad7abf171c

SHA256
ea16c67fb22c694338fa05011775c28bdc422617e6b811b3f2a1871c415994b8

SHA512
91ba33d56cfc5c71dfbdc94ce5b137e0585ddf72802558958eeffcf344f24ca81908e56fff85cbf58e55e8e1d204d59d9b6e4b723a039a5ff0f1b652f7f6de02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
026d8a6260f9a6a7888be207483f3bdd

SHA1
7d98d9e0806c2db209da64ebcc4cdf4712983f56

SHA256
e314b234637fe4b336c8abd726e38732dad9ed9663f71302e3fa6d478b0456eb

SHA512
d2a980530348f0b0554c1fe4c69d3f5fc2889aea8e305286e36e84597a243a312fe4eb83afd8edd8f26900a280f8bfef90483997fbe80fd1daf4544297e9a3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
Filesize
242B

MD5
aa9cf11b0d538a188f3830a7875b5572

SHA1
f687a4036b42bf38c973a8efd65e7db4057e0f92

SHA256
aaf68d5e33bab16b975fed1e20d026425b91025fb4b9e9f621de4dd9a52ecbf0

SHA512
52daf568360a24c7f55d74d043d8e66b9fe93a78172aec3e2ee58f413777f7cf53a97fd1964dae92f3ce387c1d72e9a06dc227072282ea74f2bff6a4b37e0a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab88B2.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8E32.tmp
Filesize
202KB

MD5
d773d9bd091e712df7560f576da53de8

SHA1
165cfbdce1811883360112441f7237b287cf0691

SHA256
e0db1804cf53ed4819ed70cb35c67680ce1a77573efded86e6dac81010ce55e7

SHA512
15a956090f8756a6bfdbe191fda36739b1107eada62c6cd3058218beb417bdbd2ea82be9b055f7f6eb8017394b330daff2e9824dbc9c4f137bead8e2ac0574cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F7B.tmp
Filesize
587KB

MD5
ce7ac188487e8f34523fbf41918af595

SHA1
33bc6b7e9593b651d7d840f78882ae214006f221

SHA256
acb08ddabc50e28f0bdf9624bd69c5fdfe2586e60748758b51b217adcb3587b9

SHA512
4aa2b9e0ffc75418b1783ba21cd89dc15296dc468b437265640386f4925121b34755ff79b0e36e96b3ec000d9eaa2aa0a8cf8f1a2b211da80facb240f7d9e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89CE.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Windows\Installer\f77be9e.msi
Filesize
4.3MB

MD5
94cebe8bb6de1262914c67c45db6c5cf

SHA1
9390e47df93989dcd8e98c4dceab5d4c8134d7b7

SHA256
5ed702fb30903b57a966b3ca0eccaa06567c7633e8f01aa0e514908995fd3280

SHA512
b445d88c776245d8373aa74162b2f401e011505fb14de8e8cf8c7db6196d5f9b4e24ab20216a55a259ad7d1b0e62cfba8ecb27def3671d72ce0e208e17353984

Download Submit
\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
7.6MB

MD5
fe25e9a09f132cd116a0fece3cbdaaf5

SHA1
1dfa5581de3823702910a1b173cdc0ef73aac205

SHA256
1085e46688633ea2c550b63d05c1a647f47cff9bf5609963eea801bdf7e16ea5

SHA512
30a61156b0cbcd0e40e0661bef1534c559b73206ba88859f276943815d24805a6ae713170236218d88920f994e7815fab4c6cf7ec702b0334531af09f05691ec

Download Submit
\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
5.2MB

MD5
85e72c295fa5d321c6d80daacfb7450f

SHA1
44bc0a0a88374ce58031212e417841e1683c56ba

SHA256
07460bb6d642e1848d7dc5be19d881f5d96c9fe283537d3f1b075bbe6271e993

SHA512
41ad55790772560caf22a7bc0991aa1fa0b6594cc9b68f7ba4bc42c13c2ffa45c8f9144c3833f7643304e4b4950ebf87fd3bfdf14febfd2b24589d0ee67eb4a4

Download Submit
\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
1.1MB

MD5
821d676dfe1338326694b632b4ea132d

SHA1
92e86d7282ef4a03dffad8cec7a8618d44b241b8

SHA256
a9595e0b9d249a1fecb002c29491e3eb457e92da91dfca62d40d0ccb3c5f4a1f

SHA512
045ba91524dc43172ef6692f04324c3d50acb7607e08a8a7788be876f90053726b6a33ab650cd15085b71b06a952ae78ee10514aff8c127021cec0a9a5a99262

Download Submit
\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
4.3MB

MD5
98e1363472f2c51c560f59e8531a3150

SHA1
332257bef68eba351f55236f2225e639f7ff0a93

SHA256
0fa59296c81443dfc7cbaf98a8b411b8852353242aabafd3c84895ecb40a1d86

SHA512
4f5c81455ff0ca9a306a6384d4c37f61f48d179878dfea5269e7757dc0ad121bec70ca20c0cc2c536183fad93eb74a0275924be9d22d3632f966b07d3468edb2

Download Submit
\Program Files\MAXQDA24\MAXQDA24.exe
Filesize
1.1MB

MD5
545c1ca0ab241ce474425e150d1f08f0

SHA1
3eecf90426be92c8bad43c81c9bd911ad48d4912

SHA256
9403678dc5c532bdb764fa3376406f3fe592e71727684c9f232f7ef616c54847

SHA512
a22ae914e8ec0e47ceba34bfda92039514b7cedf56649d013a27f0261790ca9f9ba5b9deaaa0dd7c6396166db961300d70a6e6d9b8bfa4ada944fbf9fd8853f7

Download Submit
\Program Files\MAXQDA24\Qt6Core.dll
Filesize
232KB

MD5
687cb6d0d39838b6236f922f94c97590

SHA1
47967b834cb79e7235791fbb253f8c3162e1b713

SHA256
557daf0d5399128c5b8c23c8e17796ba60a3981102dbb8fede15261e17e02122

SHA512
35f5c7a7011f2085cd5e3bf3a760a4392a7df6be24ff6724c1fb9cc4c716d7c11cfdb4059c06b49ce0ddae731e00e84610501c256ca092fab5a0ed781dbe74cf

Download Submit
\Program Files\MAXQDA24\Qt6Core5Compat.dll
Filesize
376KB

MD5
f589845e2410111d75923d7f8abf18ec

SHA1
5f9271660e6cf3f4abf3694f6a2c4175fbdde441

SHA256
e7a586a5d31a666cf5ae71a3d203eabcd34d8f20ae94a1c487b2186ec40ac40a

SHA512
121e20d4905ff21f21d0e777d90da91a2bf5bed6ab08661b71b9f8a983370c0e9e31f5009b658033f6f0d792b35ea633e30963373428af180192778c03a0ce7d

Download Submit
\Program Files\MAXQDA24\api-ms-win-core-synch-l1-2-0.dll
Filesize
18KB

MD5
47388f3966e732706054fe3d530ed0dc

SHA1
a9aebbbb73b7b846b051325d7572f2398f5986ee

SHA256
59c14541107f5f2b94bbf8686efee862d20114bcc9828d279de7bf664d721132

SHA512
cce1fc5bcf0951b6a76d456249997b427735e874b650e5b50b3d278621bf99e39c4fc7fee081330f20762f797be1b1c048cb057967ec7699c9546657b3e248ee

Download Submit
\Program Files\MAXQDA24\fsdk_win64.dll
Filesize
526KB

MD5
d8a632c9fcc969e217d51bfcb9edb073

SHA1
d4466521af1f5a222246cb538ac23674014cb1bd

SHA256
5c0782f68e651b0a55529709565f36c3743c42cfb0c47b2a8a5cc7ac0aadb9aa

SHA512
4bbb97ae8ca9d9e9aff624d8448d261ef095697bcf648c5a19548357578d52a48cd1a1abf7951980412222a01e428858b42c54e317746a614f2914175ebfc2ca

Download Submit
\Program Files\MAXQDA24\libmecab.dll
Filesize
711KB

MD5
131bbcf7126866fb823c060924629a1d

SHA1
6dd5df5267acfe26be1979ccc274c27823a188fd

SHA256
c9020862f7f3616cdc8201f0b0418031e4e7454e23071a7cbacc17ad7d589329

SHA512
3568b3d1b6bc8c696cf9cde4bd11f449ea1c59ceae00339944d3f6e32f85e415654bb3188f92c8faa9c85e49720aaf30c0a3ac9d31ec23628fc8f05af59b4ef1

Download Submit
\Program Files\MAXQDA24\libxl.dll
Filesize
877KB

MD5
242401396659eaf2b46eee91d2eb8e03

SHA1
8477ba3e51794f190ee7ea59ec1592416c7d20a3

SHA256
7c31d110efc86f4c5a968d24620fc8281b04336c25cb6d566506c69198512868

SHA512
ede8b448994f912c3a6c173c3cdffdb316b1f1e791aad1bab6e8fa2e9525049b5ab58f6ed1b9101b5f78e1c350a02e7923b10144b7b8049c7535470a53b70c90

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads