IOC Report
QuickTimeInstaller.exe

loading gif

Files

File Path
Type
Category
Malicious
QuickTimeInstaller.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleApplicationSupport.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1256, Title: Installation Database, Subject: Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple 2.3.6, Create Time/Date: Sat Sep 14 04:45:10 2013, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053,1025, Revision Number: {46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{46F044A5-CE8B-4196-984E-5BD6525E361D}2.3.6;{529316F8-601C-48AB-BAF6-D9E09938D8D3}, Number of Pages: 300, Number of Characters: 131135
dropped
C:\Users\user\AppData\Local\Temp\IXP705.TMP\AppleSoftwareUpdate.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Instalador da Actualizao de Software Apple, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple Software Update 2.1.3.127, Create Time/Date: Tue Jun 21 23:23:46 2011, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 4, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number: {789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}2.1.3.127;{58E373E7-C6D5-4691-885F-721D3B317918}, Number of Pages: 200, Number of Characters: 131135
dropped
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Instalador do QuickTime, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: QuickTime 7 - 7.79.80.95, Create Time/Date: Tue Dec 15 15:17:18 2015, Name of Creating Application: Windows Installer XML v2.0.3220.0 (candle/light), Security: 1, Template: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Last Saved By: Intel;1033,1036,1031,1041,1043,1040,1028,2052,1034,1030,1035,1042,1044,1045,2070,1046,1049,1053, Revision Number: {FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}7.79.80.95;{AA4138E3-09D5-4256-9207-6DDB76D12955}, Number of Pages: 110, Number of Characters: 153485312
dropped
C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTimeInstallerAdmin.exe
PE32 executable (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI297E.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI29ED.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI2A4C.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI2AD9.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI2B28.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\MSI2B68.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\QTInstallCode.log
ASCII text, with CRLF line terminators
modified
C:\Users\user\AppData\Local\Temp\QuickTimeInstaller1914.log
ASCII text, with CRLF line terminators
dropped
There are 3 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\QuickTimeInstaller.exe
"C:\Users\user\Desktop\QuickTimeInstaller.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Local\Temp\IXP705.TMP\QuickTime.msi"
C:\Windows\System32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding AF7759F71D07749EDCEA18A4E40A5B0C C

URLs

Name
IP
Malicious
HTTP://WWW.MPEGLA.COM.
unknown
http://www.mpegla.com
unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0
unknown
http://ocsp.thawte.com0
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
Blob
HKEY_CURRENT_USER\SOFTWARE\Apple Computer, Inc.\QuickTime\LocalUserPreferences
FolderPath

Memdumps

Base Address
Regiontype
Protect
Malicious
2C64000
heap
page read and write
412000
unkown
page readonly
415000
unkown
page read and write
417000
unkown
page read and write
221B000
unkown
page readonly
2C4E000
heap
page read and write
E1B000
unkown
page readonly
2C00000
heap
page read and write
31E0000
heap
page read and write
19C000
stack
page read and write
2C76000
heap
page read and write
41B000
unkown
page readonly
221B000
unkown
page readonly
2C6D000
heap
page read and write
412000
unkown
page readonly
41B000
unkown
page readonly
2C40000
heap
page read and write
2D90000
heap
page read and write
401000
unkown
page execute read
400000
unkown
page readonly
E1B000
unkown
page readonly
400000
unkown
page readonly
9C000
stack
page read and write
221B000
unkown
page readonly
2C4A000
heap
page read and write
31F0000
heap
page read and write
181B000
unkown
page readonly
181B000
unkown
page readonly
E1B000
unkown
page readonly
2C6D000
heap
page read and write
181B000
unkown
page readonly
2C10000
heap
page read and write
415000
unkown
page write copy
401000
unkown
page execute read
41B000
unkown
page readonly
There are 25 hidden memdumps, click here to show them.