Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
aMail_Ver1.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
|
Certificate, Version=3
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\AN5UOLP8\WSML3T3I.log
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\C7S8M5VS\aMail[1].vsto
|
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10116), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\Deployment\135WTG68.YRB\HGGB98OY.93M.application
|
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10116), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\Deployment\QDRG8X6X.MRC\9Q4O68KE.51L\aMail.dll.manifest
|
XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (10087), with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\VSDEC4.tmp\install.log
|
data
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\aMail_Ver1.exe
|
"C:\Users\user\Desktop\aMail_Ver1.exe"
|
||
|
C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe
|
VSTOInstaller.exe /install https://system.asite.com/aMail_Installer/aMail.vsto
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://system.asite.com/aMail_Installer/aMail.vsto&
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vsto-AllOS-ENU.exe
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/F47D3D
|
unknown
|
||
|
https://system.asite.com/
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstol
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/TruePABegin
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstoLMEMh
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstoC:
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/BDF279
|
unknown
|
||
|
https://system.asite.com/UJ
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstoR
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstoex
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/Application%20Files/aMail_2_0_0_3/aMail.dll.manifest
|
72.21.92.220
|
||
|
https://system.asite.com/aMail_Installer/aMail.vsto0
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vstoRRC:
|
unknown
|
||
|
https://system.asite.com/aMail_Installer/aMail.vsto
|
72.21.92.220
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
cs195.adn.deltacdn.net
|
72.21.92.220
|
||
|
fp2e7a.wpc.phicdn.net
|
192.229.211.108
|
||
|
system.asite.com
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
72.21.92.220
|
cs195.adn.deltacdn.net
|
United States
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
UninstallString
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
UrlUpdateInfo
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
NoModify
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
NoRepair
|
||
|
HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
|
ComponentStore_RandomString
|
||
|
HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
|
ComponentStore_RandomString
|
||
|
HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager
|
StateStore_RandomString
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\VSTOInstaller_RASMANCS
|
FileDirectory
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
DisplayName
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
Publisher
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\863B0E4D270BF0E3C1BC13FDCDEAD53E5AE09E163A0364B324EC12450D2C7B6A
|
DisplayVersion
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\VSTO\Security\Inclusion\0175bf24-f0a3-4cc6-a020-204e1e4a320f
|
Url
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\VSTO\Security\Inclusion\0175bf24-f0a3-4cc6-a020-204e1e4a320f
|
PublicKey
|
There are 17 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
4676000
|
heap
|
page read and write
|
||
|
73A5000
|
heap
|
page read and write
|
||
|
4395000
|
stack
|
page read and write
|
||
|
69CE000
|
stack
|
page read and write
|
||
|
73A8000
|
heap
|
page read and write
|
||
|
8DFE000
|
stack
|
page read and write
|
||
|
64F0000
|
heap
|
page read and write
|
||
|
698E000
|
stack
|
page read and write
|
||
|
8B9E000
|
stack
|
page read and write
|
||
|
D1000
|
unkown
|
page execute read
|
||
|
467F000
|
heap
|
page read and write
|
||
|
4659000
|
heap
|
page read and write
|
||
|
4610000
|
heap
|
page read and write
|
||
|
64D0000
|
heap
|
page read and write
|
||
|
4ACD000
|
stack
|
page read and write
|
||
|
46BD000
|
heap
|
page read and write
|
||
|
135000
|
unkown
|
page readonly
|
||
|
46B2000
|
heap
|
page read and write
|
||
|
46DF000
|
heap
|
page read and write
|
||
|
479D000
|
stack
|
page read and write
|
||
|
73AA000
|
heap
|
page read and write
|
||
|
467B000
|
heap
|
page read and write
|
||
|
4399000
|
stack
|
page read and write
|
||
|
4BCE000
|
stack
|
page read and write
|
||
|
46CB000
|
heap
|
page read and write
|
||
|
463C000
|
heap
|
page read and write
|
||
|
46E1000
|
heap
|
page read and write
|
||
|
6A1E000
|
stack
|
page read and write
|
||
|
4638000
|
heap
|
page read and write
|
||
|
4710000
|
heap
|
page readonly
|
||
|
728E000
|
stack
|
page read and write
|
||
|
4600000
|
heap
|
page read and write
|
||
|
46C3000
|
heap
|
page read and write
|
||
|
64F9000
|
heap
|
page read and write
|
||
|
8D9F000
|
stack
|
page read and write
|
||
|
47B0000
|
heap
|
page read and write
|
||
|
47B5000
|
heap
|
page read and write
|
||
|
738F000
|
stack
|
page read and write
|
||
|
4618000
|
heap
|
page read and write
|
||
|
4698000
|
heap
|
page read and write
|
||
|
8A9C000
|
stack
|
page read and write
|
||
|
137000
|
unkown
|
page readonly
|
||
|
4A8E000
|
stack
|
page read and write
|
||
|
7250000
|
remote allocation
|
page read and write
|
||
|
8C9F000
|
stack
|
page read and write
|
||
|
694C000
|
stack
|
page read and write
|
||
|
73A2000
|
heap
|
page read and write
|
||
|
6A30000
|
heap
|
page read and write
|
||
|
132000
|
unkown
|
page write copy
|
||
|
73A0000
|
heap
|
page read and write
|
||
|
47A0000
|
heap
|
page read and write
|
||
|
138000
|
unkown
|
page readonly
|
||
|
46C4000
|
heap
|
page read and write
|
||
|
46EB000
|
heap
|
page read and write
|
||
|
64B0000
|
heap
|
page read and write
|
||
|
6A40000
|
trusted library allocation
|
page read and write
|
||
|
68F0000
|
heap
|
page read and write
|
||
|
135000
|
unkown
|
page readonly
|
||
|
4693000
|
heap
|
page read and write
|
||
|
4661000
|
heap
|
page read and write
|
||
|
4696000
|
heap
|
page read and write
|
||
|
D0000
|
unkown
|
page readonly
|
||
|
475D000
|
stack
|
page read and write
|
||
|
498E000
|
stack
|
page read and write
|
||
|
463C000
|
heap
|
page read and write
|
||
|
76A0000
|
heap
|
page read and write
|
||
|
64F5000
|
heap
|
page read and write
|
||
|
46F0000
|
heap
|
page read and write
|
||
|
132000
|
unkown
|
page read and write
|
||
|
6A33000
|
heap
|
page read and write
|
||
|
7250000
|
remote allocation
|
page read and write
|
||
|
46B2000
|
heap
|
page read and write
|
||
|
4299000
|
stack
|
page read and write
|
||
|
465E000
|
heap
|
page read and write
|
||
|
4645000
|
heap
|
page read and write
|
||
|
4638000
|
heap
|
page read and write
|
||
|
8EFE000
|
stack
|
page read and write
|
||
|
46BC000
|
heap
|
page read and write
|
||
|
46D0000
|
heap
|
page read and write
|
||
|
7250000
|
remote allocation
|
page read and write
|
||
|
466D000
|
heap
|
page read and write
|
There are 71 hidden memdumps, click here to show them.