Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
QuickTimeInstaller.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleApplicationSupport.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1256, Title: Installation
Database, Subject: Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple 2.3.6, Create Time/Date:
Sat Sep 14 04:45:10 2013, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025,
Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025, Revision
Number: {46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{529316F8-601C-48AB-BAF6-D9E09938D8D3},
Number of Pages: 300, Number of Characters: 131135
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleSoftwareUpdate.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: Instalador da Actualizao de Software Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments:
Apple Software Update 2.1.3.127, Create Time/Date: Tue Jun 21 23:23:46 2011, Name of Creating Application: Windows Installer
XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,
Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number:
{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{58E373E7-C6D5-4691-885F-721D3B317918},
Number of Pages: 200, Number of Characters: 131135
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: Instalador do QuickTime, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: QuickTime 7 -
7.79.80.95, Create Time/Date: Tue Dec 15 15:17:18 2015, Name of Creating Application: Windows Installer XML v2.0.3220.0 (candle/light),
Security: 1, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Last
Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number:
{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{AA4138E3-09D5-4256-9207-6DDB76D12955},
Number of Pages: 110, Number of Characters: 153485312
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI297E.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI29ED.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI2B28.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI2B68.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\QTInstallCode.log
|
ASCII text, with CRLF line terminators
|
modified
|
||
C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log
|
ASCII text, with CRLF line terminators
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\QuickTimeInstaller.exe
|
"C:\Users\user\Desktop\QuickTimeInstaller.exe"
|
||
C:\Windows\SysWOW64\msiexec.exe
|
"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
HTTP://WWW.MPEGLA.COM.
|
unknown
|
||
http://www.mpegla.com
|
unknown
|
||
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
http://ocsp.thawte.com0
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
|
Blob
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
|
Blob
|
||
HKEY_CURRENT_USER\SOFTWARE\Apple Computer, Inc.\QuickTime\LocalUserPreferences
|
FolderPath
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
2C64000
|
heap
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
415000
|
unkown
|
page read and write
|
||
417000
|
unkown
|
page read and write
|
||
221B000
|
unkown
|
page readonly
|
||
2C4E000
|
heap
|
page read and write
|
||
E1B000
|
unkown
|
page readonly
|
||
2C00000
|
heap
|
page read and write
|
||
31E0000
|
heap
|
page read and write
|
||
19C000
|
stack
|
page read and write
|
||
2C76000
|
heap
|
page read and write
|
||
41B000
|
unkown
|
page readonly
|
||
221B000
|
unkown
|
page readonly
|
||
2C6D000
|
heap
|
page read and write
|
||
412000
|
unkown
|
page readonly
|
||
41B000
|
unkown
|
page readonly
|
||
2C40000
|
heap
|
page read and write
|
||
2D90000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
400000
|
unkown
|
page readonly
|
||
E1B000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
9C000
|
stack
|
page read and write
|
||
221B000
|
unkown
|
page readonly
|
||
2C4A000
|
heap
|
page read and write
|
||
31F0000
|
heap
|
page read and write
|
||
181B000
|
unkown
|
page readonly
|
||
181B000
|
unkown
|
page readonly
|
||
E1B000
|
unkown
|
page readonly
|
||
2C6D000
|
heap
|
page read and write
|
||
181B000
|
unkown
|
page readonly
|
||
2C10000
|
heap
|
page read and write
|
||
415000
|
unkown
|
page write copy
|
||
401000
|
unkown
|
page execute read
|
||
41B000
|
unkown
|
page readonly
|
There are 25 hidden memdumps, click here to show them.