Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
avp.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer,
Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required
to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
initial sample
|
||
C:\Users\user\AppData\Local\Temp\MSI1B7B.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI1C09.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI1C29.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI1C4A.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI1C6A.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\Temp\MSI1C9A.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Users\user\AppData\Local\sharepoint\forcedelctl.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI1DEC.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI1E99.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Config.Msi\651cf3.rbs
|
data
|
modified
|
||
C:\Windows\Installer\651cf2.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer,
Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required
to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
dropped
|
||
C:\Windows\Installer\MSI1F37.tmp
|
data
|
dropped
|
||
C:\Windows\Installer\SourceHash{52EF198D-0C6C-406A-803F-F86D93DD7930}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
C:\Windows\Temp\~DF341066AD21468A34.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF8D5330CF8902C66C.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DFEC7D49F85E5735A0.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFED361DB57782FD8E.TMP
|
data
|
dropped
|
There are 10 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\avp.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding C10F74E54A153762865D83F4FD97627E C
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding E8F250EF0BB0858F7D9FA6A616305218
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://85.239.53.219/api/gateway
|
85.239.53.219
|
||
http://85.239.53.219/api/7f841ea3-c875-6dfd-678b-29dc794014c1/tasks
|
85.239.53.219
|
||
https://api.ipify.org/
|
104.26.12.205
|
||
https://www.advancedinstaller.com
|
unknown
|
||
https://www.thawte.com/cps0/
|
unknown
|
||
https://www.thawte.com/repository0W
|
unknown
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
api.ipify.org
|
104.26.12.205
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
85.239.53.219
|
unknown
|
Russian Federation
|
||
104.26.12.205
|
api.ipify.org
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\651cf3.rbs
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\651cf3.rbsLow
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Microsoft\Installer\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\C72CC84B32896524285338B4DFD2D0BB
|
D891FE25C6C0A60408F38FD639DD9703
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F5D323A437D662C4E893EB9882AD31BE
|
D891FE25C6C0A60408F38FD639DD9703
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\9C6DE896D6026BB4FBD3C80F282F6992
|
D891FE25C6C0A60408F38FD639DD9703
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5B54D661D32DB764BBEDE95F3A9BC10B
|
D891FE25C6C0A60408F38FD639DD9703
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Since Flawer\GeoTdata\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Since Flawer\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Local\New Folder\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Local\sharepoint\
|
||
HKEY_CURRENT_USER\SOFTWARE\Since Flawer\GeoTdata
|
Version
|
||
HKEY_CURRENT_USER\SOFTWARE\Since Flawer\GeoTdata
|
Path
|
There are 7 hidden registries, click here to show them.