Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi

Overview

General Information

Sample name:blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi
Analysis ID:1671083
MD5:7b6a790a2d4a51d98821946b71fddd97
SHA1:1da651bf6718db1014aa26eeb39445a3eeaffa10
SHA256:e614ad6baba19c41103dafb5dfe86db7b3b2f04549f0ffac7ec4e5720fbd2802
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6764 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 2612 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • MSIA319.tmp (PID: 7520 cmdline: "C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat" MD5: DB126FF10E71753C0C29210C090927A3)
      • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7588 cmdline: C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json", CommandLine: C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat", ParentImage: C:\Windows\Installer\MSIA319.tmp, ParentProcessId: 7520, ParentProcessName: MSIA319.tmp, ProcessCommandLine: C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json", ProcessId: 7588, ProcessName: cmd.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Spreading
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkStation\obj\Release\Blackbaud.AppFx.Programming.WebShellWorkstation.pdb source: Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr
Source: Binary string: cmd.pdbUGP source: MSIA319.tmp, 00000008.00000002.1315385656.0000000000551000.00000020.00000001.01000000.00000006.sdmp, blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, MSIA319.tmp.1.dr, MSIA134.tmp.1.dr, 3e9f6e.msi.1.dr, 3e9f6f.rbs.1.dr, 3e9f70.msi.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkstationChromExtension\AltruWorkstationNativeMessageHost\AltruWorkstationNativeMessageHost\obj\Release\AltruWorkstationNativeMessageHost.pdbpW source: AltruWorkstationNativeMessageHost.exe.1.dr
Source: Binary string: d:\Unbranched\SVG-master\Source\obj\Release\Svg.pdb source: Svg.DLL.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkStation\obj\Release\Blackbaud.AppFx.Programming.WebShellWorkstation.pdb0tJt <t_CorDllMainmscoree.dll source: Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr
Source: Binary string: cmd.pdb source: MSIA319.tmp, 00000008.00000002.1315385656.0000000000551000.00000020.00000001.01000000.00000006.sdmp, blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, MSIA319.tmp.1.dr, MSIA134.tmp.1.dr, 3e9f6e.msi.1.dr, 3e9f6f.rbs.1.dr, 3e9f70.msi.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkstationChromExtension\AltruWorkstationNativeMessageHost\AltruWorkstationNativeMessageHost\obj\Release\AltruWorkstationNativeMessageHost.pdb source: AltruWorkstationNativeMessageHost.exe.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\Installer\MSIA319.tmpFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 3e9f70.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://ocsp.digicert.com0
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://ocsp.digicert.com0A
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://ocsp.digicert.com0X
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, AltruWorkstationNativeMessageHost.exe.1.dr, Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr, 3e9f6e.msi.1.dr, 3e9f70.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e9f6e.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{EF71544B-410A-4E27-B5F5-512247EC5AE4}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA134.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e9f70.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3e9f70.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA319.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\3e9f70.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA134.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA319.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\3e9f6e.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msiBinary or memory string: OriginalFilenameCmd.Exej% vs blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi
Source: classification engineClassification label: mal48.evad.winMSI@7/25@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Blackbaud, IncJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFB5D8C11CC649FABB.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: blackbaud.appfx.programming.webshellworkstationchromeextension (1).msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIA319.tmp "C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat"
Source: C:\Windows\Installer\MSIA319.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Installer\MSIA319.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json"
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIA319.tmp "C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat"Jump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json"Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: riched20.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: usp10.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkStation\obj\Release\Blackbaud.AppFx.Programming.WebShellWorkstation.pdb source: Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr
Source: Binary string: cmd.pdbUGP source: MSIA319.tmp, 00000008.00000002.1315385656.0000000000551000.00000020.00000001.01000000.00000006.sdmp, blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, MSIA319.tmp.1.dr, MSIA134.tmp.1.dr, 3e9f6e.msi.1.dr, 3e9f6f.rbs.1.dr, 3e9f70.msi.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkstationChromExtension\AltruWorkstationNativeMessageHost\AltruWorkstationNativeMessageHost\obj\Release\AltruWorkstationNativeMessageHost.pdbpW source: AltruWorkstationNativeMessageHost.exe.1.dr
Source: Binary string: d:\Unbranched\SVG-master\Source\obj\Release\Svg.pdb source: Svg.DLL.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkStation\obj\Release\Blackbaud.AppFx.Programming.WebShellWorkstation.pdb0tJt <t_CorDllMainmscoree.dll source: Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.1.dr
Source: Binary string: cmd.pdb source: MSIA319.tmp, 00000008.00000002.1315385656.0000000000551000.00000020.00000001.01000000.00000006.sdmp, blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi, MSIA319.tmp.1.dr, MSIA134.tmp.1.dr, 3e9f6e.msi.1.dr, 3e9f6f.rbs.1.dr, 3e9f70.msi.1.dr
Source: Binary string: C:\agents\_work\9\s\BB_5.33\Blackbaud\AppFx\Programming\WebShellWorkstationChromExtension\AltruWorkstationNativeMessageHost\AltruWorkstationNativeMessageHost\obj\Release\AltruWorkstationNativeMessageHost.pdb source: AltruWorkstationNativeMessageHost.exe.1.dr
Source: MSIA319.tmp.1.drStatic PE information: section name: .didat

Persistence and Installation Behavior

barindex
Source: C:\Windows\System32\msiexec.exeExecutable created and started: C:\Windows\Installer\MSIA319.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA319.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Svg.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\AltruWorkstationNativeMessageHost.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Blackbaud.AppFx.Programming.WebShellWorkstation.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA319.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Svg.DLLJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\AltruWorkstationNativeMessageHost.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Blackbaud.AppFx.Programming.WebShellWorkstation.DLLJump to dropped file
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA319.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\Installer\MSIA319.tmp "C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat"Jump to behavior
Source: C:\Windows\Installer\MSIA319.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json"Jump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation1
DLL Side-Loading		11
Process Injection		121
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS12
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1671083 Sample: blackbaud.appfx.programming... Startdate: 22/04/2025 Architecture: WINDOWS Score: 48 6 msiexec.exe 86 35 2->6         started        10 msiexec.exe 9 2->10         started        file3 18 C:\Windows\Installer\MSIA319.tmp, PE32 6->18 dropped 20 C:\Program Files (x86)\...\Svg.DLL, PE32 6->20 dropped 22 Blackbaud.AppFx.Pr...hellWorkstation.DLL, PE32 6->22 dropped 24 C:\...\AltruWorkstationNativeMessageHost.exe, PE32 6->24 dropped 26 Drops executables to the windows directory (C:\Windows) and starts them 6->26 12 MSIA319.tmp 1 6->12         started        28 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 10->28 signatures4 process5 process6 14 conhost.exe 12->14         started        16 cmd.exe 1 12->16         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Svg.DLL0%ReversingLabs
C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Svg.DLL0%VirustotalBrowse
C:\Windows\Installer\MSIA319.tmp0%ReversingLabs
C:\Windows\Installer\MSIA319.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1671083
Start date and time:2025-04-22 15:55:45 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 29s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi
Detection:MAL
Classification:mal48.evad.winMSI@7/25@0/0
Cookbook Comments:
  • Found application associated with file extension: .msi
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 184.29.183.29, 52.149.20.212
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Config.Msi\3e9f6f.rbs

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):246248
Entropy (8bit):6.454046329553518
Encrypted:false
SSDEEP:6144:Td/SUUpT08cTwejUSK5xqa7RPU+Ut4msX:Td/KpI8cWjkCdX
MD5:F03957CB249BCAC06DF1E94B96CC1C97
SHA1:51638E2F3B007EA47AA7A778797B743C371AD182
SHA-256:50FF77187D27D5D2AAC2D61859C2650CEBDDDE8B83223048E970714EC909B904
SHA-512:A515827F7458FD35E5CC873CBE92F36A1D70AF9FAFBB57CD65EA97DA842897750F3D25B76706FA9CB9000ACF075774EDDD6FEC694218602B4DA5F2486358DA84
Malicious:false
Reputation:low
Preview:...@IXOS.@.....@.O.Z.@.....@.....@.....@.....@.....@......&.{EF71544B-410A-4E27-B5F5-512247EC5AE4},.Blackbaud Altru Workstation Chrome InterfaceF.blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi.@.....@.....@.....@........&.{AC5A4355-4AAB-4E02-B965-2C1006521527}.....@.....@.....@.....@.......@.....@.....@.......@....,.Blackbaud Altru Workstation Chrome Interface......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BDF8F694-F04E-4DD1-916D-055FBE85EB9E}&.{EF71544B-410A-4E27-B5F5-512247EC5AE4}.@......&.{65A8F529-12A1-4105-B991-CA8F89A330D3}&.{EF71544B-410A-4E27-B5F5-512247EC5AE4}.@......&.{B7B226B6-FBED-489A-AA2A-90CB3CA3EF35}&.{EF71544B-410A-4E27-B5F5-512247EC5AE4}.@......&.{584699D2-7AF5-4D2E-A74B-CE29CCAEF6F0}&.{EF71544B-410A-4E27-B5F5-512247EC5AE4}.@......&.{94B32113-9450-440B-8F74-FA7689EF0E42}&.{EF71544B-410A-4E27-B5F5-512247EC5AE4}.@......&.{310E3B79-BD2F-4858-A2E8

C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\AltruWorkstationNativeMessageHost.exe

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):27680
Entropy (8bit):6.51967374890049
Encrypted:false
SSDEEP:384:5Pu7MWdCMY5RT2YgCtTpfqshIH0otLDIYigr/cXlSJIVE8E9VF0NyY3V:5uMWdYD2YXzIH0EsYiY12EE
MD5:0A5E9F28FCF976DDF8D645400B86F587
SHA1:8FB9517095B74AB8874F89D0FAAF7AD372CA280E
SHA-256:417EFC449AB92880C2602C201FBF0C9F57DA7F49B68A08B1FD8CF5AD6F04A560
SHA-512:BCC945EC1F73194FED23AC5857474CC5001958129D7F1F2A1E20AA4E81C55036E80A40C53CFB4B6ED8BD5C9E37B6AAB1B61A40C96FA5584987EB747A7E3236BD
Malicious:false
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)/.g.........."...P..8...........W... ...`....@.. ..............................4.....`.................................HW..O....`..<............D.. (...........V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc...<....`.......:..............@..@.reloc...............B..............@..B................|W......H.......L)...,..........XU................................................(....*..(....*.s.........s.........s.........s.........*.~....o....*.~....o ...*.~....o!...*.~....o"...*.~.....(#...,.r...p.....($...o%...s&........~....*.~....*.......*Vs....('...t.........*..((...*.~....*.(....*..0..:.......~)......sU..........~).....(*.....8......-...........o+...&...(,.......-...........o+.....(-........o.....s/......1...o0...(...+......o....oY....o....o2.......(........ .t.u5&.. .

C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Blackbaud.AppFx.Programming.WebShellWorkstation.DLL

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):34848
Entropy (8bit):6.3933164353495515
Encrypted:false
SSDEEP:768:O7+bgR97kNdw7cBewiPK7YWFqtA8z08YiY/2Em:OKbgzkNq7cBewJ7YWFqO87gE
MD5:AAE42FD88B073C3292B698726051D273
SHA1:BC2BB4B7D7519D78862669617B510864E4965939
SHA-256:B7A01631C2A883BF333C07839A026AE6CE17DEF158629491A418EB86B2F9AC6E
SHA-512:02E9559E7981BF885261A45693F787D47A632E4D91AF8A4F0B901851F9BE40538F3BFAE300749E7098D678909BF995E47C9661BA6CCCF9BD339A69B50F5E9294
Malicious:false
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%/.g.........." ..P..V..........Zt... ........... ....................................`..................................t..O....................`.. (...........r............................................... ............... ..H............text...`T... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B................<t......H.......00...?...........o................................................(....*..(....*.s.........s ........s!........s"........*.~....o#...*.~....o$...*.~....o%...*.~....o&...*..('...*.~.....((...,.r...p.....()...o*...s+........~....*.~....*.......*V(....ro..p~....o,...*V(....r...p~....o,...*V(....r...p~....o,...*.~.....((...,.r...p.....()...o*...s+........~....*.~....*.......*V(....rk..p~....o,...*..(....*.(-...*..0..*........,&..(......s+.......o4...&..(....(/.....*......

C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Svg.DLL

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:dropped
Size (bytes):557056
Entropy (8bit):6.138145960739498
Encrypted:false
SSDEEP:12288:OSuqtV1jnQxZdlCG3pFb6KtXX2nrfSNT6v2q6wLOsKdMaiT8HQJUyGtS:xtV1jnQxZdlCG3pFb6KtXX2nrfSNT6vz
MD5:F63BCE7E982CB683F42C6C77F475E9E4
SHA1:9266C08363065002B3941DE8393457C4B98866C3
SHA-256:504448C1E29611E649DC4B923DE55D22768B44F9996F8F650A58096E74851DB8
SHA-512:A774EA2607ED3430A626BA5C473C4B1709B3311F920D3E0DA3870CC6588E170E69EC64D8620311B11E51D8CDC6D799CD164FFABA93BE6DEB34CF15849E1E0702
Malicious:false
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6{.T...........!.....P... .......e... ........@.. ....................................@..................................d..W.......8............................c............................................... ............... ..H............text...$E... ...P.................. ..`.rsrc...8............`..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:DOS batch file, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):629
Entropy (8bit):4.807173422132504
Encrypted:false
SSDEEP:12:dAd/2bDKa4kYVJt6Y9a8ZNLLCXH3Cvh6TRURSRqvFhYVJSezec/td:dAMnKNVP9nDCX3pRQSRqC1ec/td
MD5:7CD35776BF997BA8B5AA99E618BBDCD6
SHA1:E5697F44C0ABADE94AEFD627DDC34F894FE8D99E
SHA-256:5DCDD8447D9D3163D064D1D8895878489779DD0B62EF654EDDB791EE64DB9C4E
SHA-512:A56D8AF30798056AC10F51FB766D818547A70FCEAFDE01BD7FD37A30B206BC851337185F460606F6F5EB2604BE1EDB2A79974A44CBFA97C962C18DBB7855F4F9
Malicious:false
Reputation:low
Preview:@echo off ..set currentDir=%~dp0%..set fileName=manifest.json....set filetoRead=%currentDir%%fileName%....@echo off .. setlocal enableextensions disabledelayedexpansion...::set modifiedCurrentDir=%currentDir:\=\\% ...set newPath=%currentDir%AltruWorkstationNativeMessageHost.exe...set modifiedPath=%newPath:\=\\% .. set "search=$$path$$".. set "replace="path": "%modifiedPath%",".. for /f "delims=" %%i in ('type "%filetoRead%" ^& break ^> "%filetoRead%"') do (.. set "line=%%i".. setlocal enabledelayedexpansion.. >>"%filetoRead%" echo(!line:%search%=%replace%!.. endlocal.. )........

C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:ASCII text, with CRLF line terminators
Category:modified
Size (bytes):3
Entropy (8bit):1.584962500721156
Encrypted:false
SSDEEP:3:f:f
MD5:CAA1F02AA39C0A7222CD74D8793AD853
SHA1:8D5BDBEE0CC84BF2E68A1345AA57B963E484B28A
SHA-256:83EAE7E6A4D3C71BCC96328C519FBA2941EE486968A6D6322FB08CEB44E3EFD6
SHA-512:2B3AC56C28DD20B1FF6C29C4D57FA1F89A28334EA57B718CD1E4083C1AB6703684AB5E2BBEAAF34EEBFD848EA86040CC6F0DB4C1C3ADF08BFBDF84E5314D020A
Malicious:false
Reputation:low
Preview:{..

C:\Windows\Installer\3e9f6e.msi

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Blackbaud.Appfx.Programming.WebShellWorkstationChromeExtension, Author: Blackbaud, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Blackbaud Altru Workstation Chrome Interface., Template: Intel;1033, Revision Number: {AC5A4355-4AAB-4E02-B965-2C1006521527}, Create Time/Date: Tue Mar 4 16:50:02 2025, Last Saved Time/Date: Tue Mar 4 16:50:02 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 0
Category:dropped
Size (bytes):634880
Entropy (8bit):6.494276235308061
Encrypted:false
SSDEEP:12288:gpgtNleos/2UCKnK3PsMPld/KpI8cWjkCd/:gitTeos/2lK8JT/KpI8cWYCd/
MD5:7B6A790A2D4A51D98821946B71FDDD97
SHA1:1DA651BF6718DB1014AA26EEB39445A3EEAFFA10
SHA-256:E614AD6BABA19C41103DAFB5DFE86DB7B3B2F04549F0FFAC7EC4E5720FBD2802
SHA-512:C0B2FC578C0C97C205C4E85549ECDB491F001109062B2D7823B8AD1C5F3843881EDF685B7CD9FF15CE0B2DD85E76268A5C5F7DC5B85561E6811A99FD503158BE
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\3e9f70.msi

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Blackbaud.Appfx.Programming.WebShellWorkstationChromeExtension, Author: Blackbaud, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Blackbaud Altru Workstation Chrome Interface., Template: Intel;1033, Revision Number: {AC5A4355-4AAB-4E02-B965-2C1006521527}, Create Time/Date: Tue Mar 4 16:50:02 2025, Last Saved Time/Date: Tue Mar 4 16:50:02 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 0
Category:dropped
Size (bytes):634880
Entropy (8bit):6.494276235308061
Encrypted:false
SSDEEP:12288:gpgtNleos/2UCKnK3PsMPld/KpI8cWjkCd/:gitTeos/2lK8JT/KpI8cWYCd/
MD5:7B6A790A2D4A51D98821946B71FDDD97
SHA1:1DA651BF6718DB1014AA26EEB39445A3EEAFFA10
SHA-256:E614AD6BABA19C41103DAFB5DFE86DB7B3B2F04549F0FFAC7EC4E5720FBD2802
SHA-512:C0B2FC578C0C97C205C4E85549ECDB491F001109062B2D7823B8AD1C5F3843881EDF685B7CD9FF15CE0B2DD85E76268A5C5F7DC5B85561E6811A99FD503158BE
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIA134.tmp

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):241138
Entropy (8bit):6.445417996677997
Encrypted:false
SSDEEP:6144:/d/SUUpT08cTwejUSK5xqa7RPU+Ut4msE:/d/KpI8cWjkCdE
MD5:8C95FE91F7A1D7E317480A94818C1E50
SHA1:F2F635146056FDCE36BDA746EB8F4692593A8601
SHA-256:B666ECD7E2224FE7F6412EA815ED663BF30A36FE784FD29280B04DD84D35F181
SHA-512:A41F434AFD440D55D9FB3B09AB83874C855DC09678F2398EF7346EC33C08A57A6DEDC0733D482CF9953F6A63BFB563D41328249BFDB0731E2C10BEB307D1F69D
Malicious:false
Preview:...@IXOS.@.....@.O.Z.@.....@.....@.....@.....@.....@......&.{EF71544B-410A-4E27-B5F5-512247EC5AE4},.Blackbaud Altru Workstation Chrome InterfaceF.blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi.@.....@.....@.....@........&.{AC5A4355-4AAB-4E02-B965-2C1006521527}.....@.....@.....@.....@.......@.....@.....@.......@....,.Blackbaud Altru Workstation Chrome Interface......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{BDF8F694-F04E-4DD1-916D-055FBE85EB9E}..C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\Blackbaud.AppFx.Programming.WebShellWorkstation.DLL.@.......@.....@.....@......&.{65A8F529-12A1-4105-B991-CA8F89A330D3}`.C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json.@.......@.....@.....@......&.{B7B226B6-FBED-489A-AA2A-90CB3CA3EF35}Z.C:\Program Files

C:\Windows\Installer\MSIA319.tmp

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:PE32 executable (console) Intel 80386, for MS Windows
Category:dropped
Size (bytes):236032
Entropy (8bit):6.426419032972558
Encrypted:false
SSDEEP:6144:Cd/SUUpT08cTwejUSK5xqa7RPU+Ut4ms:Cd/KpI8cWjkCd
MD5:DB126FF10E71753C0C29210C090927A3
SHA1:6BC815D8AB2194850142E80B7107539612332BBD
SHA-256:B94D1C553C7EF81DF040D6BE59120EB0A8F67AEC1A787A2B6B537309CBAF8CC4
SHA-512:E2F775F3E4926D12F21D9ADA6A253E28C3027BA1097689C99E54CCF09543878B7C1EAE42FDEDC8674245D169F2697384A4588D980F40E1CC556001DC335BA288
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 0%
  • Antivirus: Virustotal, Detection: 0%, Browse
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z...>i..>i..>i..7.8.xi..[...8i..[...&i..>i...h..[...;i..[...7i..[....i..[.T.?i..[...?i..Rich>i..................PE..L....................................o............@.......................................@.................................................................`...&..`5..T............................................................................text............................... ..`.data...,...........................@....idata...$.......&..................@..@.didat..H...........................@....rsrc...............................@..@.reloc...&...`...(...r..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{EF71544B-410A-4E27-B5F5-512247EC5AE4}

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.1950483171887911
Encrypted:false
SSDEEP:12:JSbX72FjVXAlfLIlHmRpBh+7777777777777777777777777ZDHFDxEPSOOl0i8Q:JrUIY0xxEqqF
MD5:4B35701F5E038A1528ED105F1BB3A6C7
SHA1:13EAF1ADD06194603B9CEBB1076460661553E8C8
SHA-256:CC1643132C786F52AACFB2E339EC0C6A2D5F7F48CFA253BC88A186ED18C5C75D
SHA-512:3B9A8D684B632D8C0594D230A4AE60955D3E083242EC9A0F11588AC511F8A2BEB67529154AA3EA7E65FAB691E6ADF7C8CE669115661CDAFE863D7D8E6E18ED4C
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.5731345773519292
Encrypted:false
SSDEEP:48:A8PhzuRc06WX4kFT54VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVu:vhz1UFTeOUmvxkzpBMv15BMvJv
MD5:DF808B58E53A1ECA3643807547BEC752
SHA1:40D7962CA42E797C5D0CD1CD2CD9E92E6B4755F4
SHA-256:50C2644594EB3BCD6D882977D7DE77F9AD8A81D4D527281627319ACAA4E548F5
SHA-512:E56461A178D94FA346B0C3C1D25A7596B01BDDA38BDBC6A4CC3E67D540492C719FD1704AC0C7C68C4562DD64EE49C7B692ECD8817DECE20C39EDFCFA98F8834D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):432221
Entropy (8bit):5.375174799087263
Encrypted:false
SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauB:zTtbmkExhMJCIpEr8
MD5:80098F0AB9CDEF4BC02F1BF73FF4D6D3
SHA1:B849277773466E3E3C2DFFB0F567D1EF538BA28D
SHA-256:BD369DC904DACE443207C379D87E6C4A836D603A1ED2F489C09F62332809EB4A
SHA-512:8055468CA4ED1BB2572EFEF68E3F40B4423B05A4A3D971AF70B916A007BC4141D837661A170FDBEA719952691D8B365BB258E9C141EA1CF7C60699CF5D5489D3
Malicious:false
Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF041D704FCE48C734.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0B92A02C1AFE7D99.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.2587674129824085
Encrypted:false
SSDEEP:48:6+ruXs43FX4ZT50VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVh5m:drS6T6OUmvxkzpBMv15BMvJv
MD5:01A352EDAFC183DDE66CDBA8A4111B5F
SHA1:5B05F803B1C67FFE9208A38B5A5EDBCCD2EA1327
SHA-256:95EFBA64B48147D49046E7B5F1D473BBC62DC4CADB0A5B21F0822B133BF34818
SHA-512:2F511830D94056E40F39B99907D187F25B7F9494ED317C5C351BC3A50EC22C7DC8C1DD0E1E4FE84728D92AD6FD28191503048BC8597EC112C6B425EC3001654E
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF15C70EB837199F95.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2A3926E0D547EABC.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.2587674129824085
Encrypted:false
SSDEEP:48:6+ruXs43FX4ZT50VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVh5m:drS6T6OUmvxkzpBMv15BMvJv
MD5:01A352EDAFC183DDE66CDBA8A4111B5F
SHA1:5B05F803B1C67FFE9208A38B5A5EDBCCD2EA1327
SHA-256:95EFBA64B48147D49046E7B5F1D473BBC62DC4CADB0A5B21F0822B133BF34818
SHA-512:2F511830D94056E40F39B99907D187F25B7F9494ED317C5C351BC3A50EC22C7DC8C1DD0E1E4FE84728D92AD6FD28191503048BC8597EC112C6B425EC3001654E
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4162510DA4E8F6C8.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF4758CC3E1E62865A.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.5731345773519292
Encrypted:false
SSDEEP:48:A8PhzuRc06WX4kFT54VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVu:vhz1UFTeOUmvxkzpBMv15BMvJv
MD5:DF808B58E53A1ECA3643807547BEC752
SHA1:40D7962CA42E797C5D0CD1CD2CD9E92E6B4755F4
SHA-256:50C2644594EB3BCD6D882977D7DE77F9AD8A81D4D527281627319ACAA4E548F5
SHA-512:E56461A178D94FA346B0C3C1D25A7596B01BDDA38BDBC6A4CC3E67D540492C719FD1704AC0C7C68C4562DD64EE49C7B692ECD8817DECE20C39EDFCFA98F8834D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF53D56932A97B9727.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.0934319702849918
Encrypted:false
SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOD3OuEXImSEAVky6lO:2F0i8n0itFzDHFDxEPSOO
MD5:A9EFD9BDB3FAE3B9B6E9999C1BA4C90E
SHA1:1C1B81A278DDA09DDC25E84196BEA3A23C4F8D20
SHA-256:2DB6F3BEE551DF0F5DBB4067EC972C0E9557093450B2624D441F49235738AC95
SHA-512:C4F2C45F034E01A1C549AF43A7D9529FF947D864EDF33DAFA1D80179A0BA349FAD5B23D156170B851CB8BF2FE3532197B24DFE5D7DBEDA6A14E74D3B8D30A038
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5EB519E6D1B8E2DF.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:modified
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF672C451D1F9646F9.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB5D8C11CC649FABB.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):73728
Entropy (8bit):0.14067829686087024
Encrypted:false
SSDEEP:48:SHh5EN8luSkd7sfh5PqpSkd7sfh5Ro8xrUf0h5qFApzbqqu/R:qvuBMvipBMv1Gf0vzUp
MD5:37BF83E9848C39CE243994305A5BA811
SHA1:DD81C80C8605E5BD7ED0A72919D44CF33EF206C9
SHA-256:C6E9024D621A268D6C60653EC478D645216376F80F2DA54BE7A4FDD55A5E1FCD
SHA-512:B6B065E01CCC655C88BD490100E38FC5AF164C6F96B8581806025AB7AF9047201FE16AE8A22E25E0A10BBAECFD0DE6423A3F6ECBD25CF9C0DC27E4AFFB49BFC7
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFCEE0413078A47F3E.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.5731345773519292
Encrypted:false
SSDEEP:48:A8PhzuRc06WX4kFT54VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVu:vhz1UFTeOUmvxkzpBMv15BMvJv
MD5:DF808B58E53A1ECA3643807547BEC752
SHA1:40D7962CA42E797C5D0CD1CD2CD9E92E6B4755F4
SHA-256:50C2644594EB3BCD6D882977D7DE77F9AD8A81D4D527281627319ACAA4E548F5
SHA-512:E56461A178D94FA346B0C3C1D25A7596B01BDDA38BDBC6A4CC3E67D540492C719FD1704AC0C7C68C4562DD64EE49C7B692ECD8817DECE20C39EDFCFA98F8834D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD92F1C540B73885B.TMP

Download File
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.2587674129824085
Encrypted:false
SSDEEP:48:6+ruXs43FX4ZT50VApzbqqu/uh5qykmqpSkd7sfh5Ro8xrzSkd7sfh5AN8lVh5m:drS6T6OUmvxkzpBMv15BMvJv
MD5:01A352EDAFC183DDE66CDBA8A4111B5F
SHA1:5B05F803B1C67FFE9208A38B5A5EDBCCD2EA1327
SHA-256:95EFBA64B48147D49046E7B5F1D473BBC62DC4CADB0A5B21F0822B133BF34818
SHA-512:2F511830D94056E40F39B99907D187F25B7F9494ED317C5C351BC3A50EC22C7DC8C1DD0E1E4FE84728D92AD6FD28191503048BC8597EC112C6B425EC3001654E
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Blackbaud.Appfx.Programming.WebShellWorkstationChromeExtension, Author: Blackbaud, Inc., Keywords: Installer, Comments: This installer database contains the logic and data required to install Blackbaud Altru Workstation Chrome Interface., Template: Intel;1033, Revision Number: {AC5A4355-4AAB-4E02-B965-2C1006521527}, Create Time/Date: Tue Mar 4 16:50:02 2025, Last Saved Time/Date: Tue Mar 4 16:50:02 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 0
Entropy (8bit):6.494276235308061
TrID:
  • Microsoft Windows Installer (60509/1) 88.31%
  • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi
File size:634'880 bytes
MD5:7b6a790a2d4a51d98821946b71fddd97
SHA1:1da651bf6718db1014aa26eeb39445a3eeaffa10
SHA256:e614ad6baba19c41103dafb5dfe86db7b3b2f04549f0ffac7ec4e5720fbd2802
SHA512:c0b2fc578c0c97c205c4e85549ecdb491f001109062b2d7823b8ad1c5f3843881edf685b7cd9ff15ce0b2dd85e76268a5c5f7dc5b85561e6811a99fd503158be
SSDEEP:12288:gpgtNleos/2UCKnK3PsMPld/KpI8cWjkCd/:gitTeos/2lK8JT/KpI8cWYCd/
TLSH:B1D4DF82AB818071C45A1270664BF37B8A3EEC74871219D773E47E9F7E701D0BA3A756
File Content Preview:........................>......................................................................................................................................................................................................................................

File Icon

Icon Hash:2d2e3797b32b2b99

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

  • File
  • Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:09:56:40
Start date:22/04/2025
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\blackbaud.appfx.programming.webshellworkstationchromeextension (1).msi"
Imagebase:0x7ff7519f0000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:1
Start time:09:56:41
Start date:22/04/2025
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\msiexec.exe /V
Imagebase:0x7ff7519f0000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:8
Start time:09:56:54
Start date:22/04/2025
Path:C:\Windows\Installer\MSIA319.tmp
Wow64 process (32bit):true
Commandline:"C:\Windows\Installer\MSIA319.tmp" /C "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\install.bat"
Imagebase:0x550000
File size:236'032 bytes
MD5 hash:DB126FF10E71753C0C29210C090927A3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 0%, ReversingLabs
  • Detection: 0%, Virustotal, Browse
Reputation:low
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:9
Start time:09:56:54
Start date:22/04/2025
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff62fc20000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Thread Activities

Show Windows behavior

Memory Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

General

Target ID:10
Start time:09:56:54
Start date:22/04/2025
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\cmd.exe /c type "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json" & break > "C:\Program Files (x86)\Blackbaud, Inc\Blackbaud Altru Workstation Chrome Interface\manifest.json"
Imagebase:0xc70000
File size:236'544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
Show Windows behavior

File Activities

Show Windows behavior

Section Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Disassembly

No disassembly