Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
rb7-1-3.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\Disk1\InstData\MediaId.properties
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\Disk1\InstData\Resource1.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\Execute.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\IAClasses.zip
|
Zip archive data, at least v1.0 to extract, compression method=store
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\InstalledMedias.properties
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\MediaFiles.properties
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\laxmanifest.txt
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\InstallerData\uninstallmanifest.txt
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\jvmspecs\Verify.jar
|
Java archive data (JAR)
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\jvmspecs\jvmspecs.properties
|
ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.lax
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\ZGWin32LaunchHelper.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin32.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64.dll
|
PE32+ executable (DLL) (GUI) Intel Itanium, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\iawin64_x64.dll
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\invoker.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\remove.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32.exe
|
PE32+ executable (console) Intel Itanium, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\resource\win64_32_x64.exe
|
PE32+ executable (console) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\sea_loc
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\laxF181.tmp
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 13 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\rb7-1-3.exe
|
"C:\Users\user\Desktop\rb7-1-3.exe"
|
||
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe
|
C:\Users\user\AppData\Local\Temp\I1711691362\Windows\rb7-1-3.exe
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://www.sun.com/xmlns/jaxb/dom4j-location
|
unknown
|
||
|
http://java.sun.com/xml/jaxb
|
unknown
|
||
|
http://apache.org/xml/features/validation/dynamic
|
unknown
|
||
|
http://www.thaiopensource.com/trex
|
unknown
|
||
|
http://java.sun.com/xml/ns/jaxb/xjc
|
unknown
|
||
|
http://www.sun.com/xml/msv/schema
|
unknown
|
||
|
http://ocsp.thawte.com0
|
unknown
|
||
|
http://xml.org/sax/features/namespaces
|
unknown
|
||
|
http://apache.org/xml/features/nonvalidating/load-external-dtd
|
unknown
|
||
|
http://java.sun.com/jaxb/xjc/dummy-elements
|
unknown
|
||
|
http://apache.org/xml/features/validation/schema-full-checking
|
unknown
|
||
|
http://www.newyorkfed.org/markets/talf.html.
|
unknown
|
||
|
http://www.iso-relax.org/verifier/filter
|
unknown
|
||
|
http://www.xml.gr.jp/xmlns/relaxCore
|
unknown
|
||
|
http://www.sun.com/xml/msv/trex-type
|
unknown
|
||
|
http://www.sun.com/xmlns/msv/features/panicMode
|
unknown
|
||
|
http://www.symauth.com/cps0(
|
unknown
|
||
|
http://xml.org/sax/features/string-interning
|
unknown
|
||
|
http://www.dom4j.org/
|
unknown
|
||
|
http://www.sun.com/policies/trademarks.
|
unknown
|
||
|
http://www.installanywhere.com
|
unknown
|
||
|
http://java.sun.com
|
unknown
|
||
|
http://relaxng.org/ns/compatibility/datatypes/1.0
|
unknown
|
||
|
http://www.sec.gov/rules/other/2008/34-58592.pdf
|
unknown
|
||
|
http://java.sun.com/xml/ns/jaxb
|
unknown
|
||
|
http://www.sun.com/xml/developers/resolver/
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
http://java.sun.com/xml/ns/relaxng/java-datatypes
|
unknown
|
||
|
http://www.symauth.com/rpa00
|
unknown
|
||
|
http://jaxb.dev.java.net
|
unknown
|
||
|
http://relaxng.org/ns/structure/0.9
|
unknown
|
||
|
http://www.iso-relax.org/verifier/handler
|
unknown
|
||
|
http://xml.org/sax/features/validation
|
unknown
|
||
|
http://nwalsh.com/xcatalog/1.0
|
unknown
|
||
|
http://relaxng.org/ns/compatibility/annotations/1.0
|
unknown
|
||
|
http://www.xml.gr.jp/relax/namespace1/relaxNamespace.dtd
|
unknown
|
||
|
http://relaxng.org/ns/structure/1.0
|
unknown
|
||
|
http://www.xml.gr.jp/xmlns/relaxNamespace
|
unknown
|
||
|
http://jaxb.dev.java.net/
|
unknown
|
||
|
http://www.osc.gov.on.ca/Media/NewsReleases/2008/nr_20080919_csa-sup-temp-order.jsp
|
unknown
|
||
|
http://relaxng.org/ns/annotation/1.0
|
unknown
|
||
|
http://apache.org/xml/features/validation/schema
|
unknown
|
||
|
http://www.iso-relax.org/catalog
|
unknown
|
||
|
http://www.xml.gr.jp/relax/core1/relaxCore.dtd
|
unknown
|
||
|
http://xml.org/sax/properties/lexical-handler
|
unknown
|
There are 35 hidden URLs, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
B80000
|
heap
|
page read and write
|
||
|
113C000
|
stack
|
page read and write
|
||
|
C73000
|
unkown
|
page write copy
|
||
|
113A000
|
stack
|
page read and write
|
||
|
C21000
|
unkown
|
page execute read
|
||
|
1134000
|
stack
|
page read and write
|
||
|
B91000
|
heap
|
page read and write
|
||
|
123D000
|
heap
|
page read and write
|
||
|
1039000
|
stack
|
page read and write
|
||
|
1254000
|
heap
|
page read and write
|
||
|
48F000
|
unkown
|
page write copy
|
||
|
1320000
|
heap
|
page read and write
|
||
|
441000
|
unkown
|
page execute read
|
||
|
1254000
|
heap
|
page read and write
|
||
|
B5E000
|
stack
|
page read and write
|
||
|
C64000
|
unkown
|
page readonly
|
||
|
494000
|
unkown
|
page readonly
|
||
|
F3E000
|
stack
|
page read and write
|
||
|
EF0000
|
heap
|
page read and write
|
||
|
11EE000
|
stack
|
page read and write
|
||
|
14FE000
|
stack
|
page read and write
|
||
|
1254000
|
heap
|
page read and write
|
||
|
153E000
|
stack
|
page read and write
|
||
|
C20000
|
unkown
|
page readonly
|
||
|
1264000
|
heap
|
page read and write
|
||
|
440000
|
unkown
|
page readonly
|
||
|
1236000
|
heap
|
page read and write
|
||
|
BAD000
|
heap
|
page read and write
|
||
|
BBC000
|
heap
|
page read and write
|
||
|
44C0000
|
heap
|
page read and write
|
||
|
E7E000
|
stack
|
page read and write
|
||
|
3230000
|
heap
|
page read and write
|
||
|
3270000
|
heap
|
page read and write
|
||
|
47E000
|
unkown
|
page readonly
|
||
|
BB9000
|
heap
|
page read and write
|
||
|
B1D000
|
stack
|
page read and write
|
||
|
C21000
|
unkown
|
page execute read
|
||
|
17E5000
|
heap
|
page read and write
|
||
|
1245000
|
heap
|
page read and write
|
||
|
BCD000
|
heap
|
page read and write
|
||
|
C74000
|
unkown
|
page read and write
|
||
|
2C9F000
|
stack
|
page read and write
|
||
|
1220000
|
heap
|
page read and write
|
||
|
1248000
|
heap
|
page read and write
|
||
|
17E0000
|
heap
|
page read and write
|
||
|
11F0000
|
heap
|
page read and write
|
||
|
C64000
|
unkown
|
page readonly
|
||
|
C78000
|
unkown
|
page read and write
|
||
|
E90000
|
heap
|
page read and write
|
||
|
44D0000
|
trusted library allocation
|
page read and write
|
||
|
44C4000
|
heap
|
page read and write
|
||
|
EA0000
|
heap
|
page read and write
|
||
|
3264000
|
heap
|
page read and write
|
||
|
11A0000
|
heap
|
page read and write
|
||
|
859000
|
stack
|
page read and write
|
||
|
47E000
|
unkown
|
page readonly
|
||
|
1263000
|
heap
|
page read and write
|
||
|
AD0000
|
heap
|
page read and write
|
||
|
48F000
|
unkown
|
page read and write
|
||
|
494000
|
unkown
|
page readonly
|
||
|
BB9000
|
heap
|
page read and write
|
||
|
F79000
|
heap
|
page read and write
|
||
|
BB1000
|
heap
|
page read and write
|
||
|
1261000
|
heap
|
page read and write
|
||
|
C20000
|
unkown
|
page readonly
|
||
|
3260000
|
heap
|
page read and write
|
||
|
BB1000
|
heap
|
page read and write
|
||
|
BCE000
|
heap
|
page read and write
|
||
|
D7E000
|
stack
|
page read and write
|
||
|
C73000
|
unkown
|
page write copy
|
||
|
C7B000
|
unkown
|
page readonly
|
||
|
441000
|
unkown
|
page execute read
|
||
|
BA7000
|
heap
|
page read and write
|
||
|
9C0000
|
heap
|
page read and write
|
||
|
123D000
|
heap
|
page read and write
|
||
|
BB5000
|
heap
|
page read and write
|
||
|
163E000
|
stack
|
page read and write
|
||
|
1228000
|
heap
|
page read and write
|
||
|
440000
|
unkown
|
page readonly
|
||
|
95A000
|
stack
|
page read and write
|
||
|
125F000
|
heap
|
page read and write
|
||
|
F75000
|
heap
|
page read and write
|
||
|
C7B000
|
unkown
|
page readonly
|
||
|
1254000
|
heap
|
page read and write
|
||
|
AA0000
|
heap
|
page read and write
|
||
|
BBD000
|
heap
|
page read and write
|
||
|
B88000
|
heap
|
page read and write
|
||
|
123D000
|
heap
|
page read and write
|
||
|
F70000
|
heap
|
page read and write
|
There are 79 hidden memdumps, click here to show them.