Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
z74Danfe-Pedido18042024.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {DD993ABA-9729-4475-A5BC-6864DC14D27F}, Number of Words: 10, Subject: ERROR CODE HG955, Author: ERROR
CODE HG955, Name of Creating Application: ERROR CODE HG955, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
initial sample
|
||
C:\Windows\Installer\MSIEB0E.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
C:\Config.Msi\3fe5ac.rbs
|
data
|
dropped
|
||
C:\Windows\Installer\3fe5aa.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {DD993ABA-9729-4475-A5BC-6864DC14D27F}, Number of Words: 10, Subject: ERROR CODE HG955, Author: ERROR
CODE HG955, Name of Creating Application: ERROR CODE HG955, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
dropped
|
||
C:\Windows\Installer\MSIE7CD.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIE9B2.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIE9F2.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIEA22.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIEAAF.tmp
|
data
|
dropped
|
||
C:\Windows\Installer\SourceHash{9XN9QFT6-WNZ1-LF3K-NWEH-ACNS66NN198E}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
C:\Windows\Temp\~DF04304042ADA1D6D6.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF0F4DA3A5959B3C9E.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF1653F046637533A2.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF175B0FC15E1A179F.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF25C9EEEE7970C24C.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF2E95AA08D1534641.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF40C4035892004E7E.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF7CB59B185342B1CD.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFAE41464F5BE4401F.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DFD618752C56A54805.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DFE1E62D224D5A3E0C.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFEE522923D060C0FD.TMP
|
data
|
dropped
|
There are 14 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\z74Danfe-Pedido18042024.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 1C7E3F55ED6D09ACA17E3C87A2751193
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://www.advancedinstaller.com
|
unknown
|
||
http://108.165.96.149/p19.zip
|
unknown
|
||
http://www.indyproject.org/
|
unknown
|
||
https://www.thawte.com/cps0/
|
unknown
|
||
https://www.thawte.com/repository0W
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\3fe5ac.rbs
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\3fe5ac.rbsLow
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Microsoft\Installer\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG955\ERROR CODE HG955\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG955\
|