Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
ProSheets.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {F6295B92-0736-49E6-B20A-DDD980CE5611}, Number of Words: 2, Subject: ProSheets, Author: DiRoots Ltd.,
Name of Creating Application: ProSheets, Template: ;1033, Comments: This installer database contains the logic and data required
to install ProSheets., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
|
CSV text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSI4f38f.LOG
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\CustomAction.config
|
XML 1.0 document, ASCII text
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.dll
|
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.pdb
|
MSVC program database ver 7.00, 512*91 bytes
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIF237.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIF315.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIF373.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
There are 3 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\SysWOW64\rundll32.exe
|
rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBBF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5573593 24 SetUpTrackerSelection!SetUpTrackerSelection.CustomActions.SendInstallErrorMsg
|
|
|
|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ProSheets.msi"
|
||
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding DE2667B8AFF59C1FD16112738283BE86 C
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationError&ParentApp=ProSheets&ParentAppVersion=1.2.10.0&App=ProSheets&AppVersion=1.2.10.0&Platform=Revit&PlatformVersion=2021&Description=
|
217.182.69.200
|
|
|
|
https://diroots.com/terms-and-conditions
|
unknown
|
||
|
http://wixtoolset.org/releases/
|
unknown
|
||
|
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationErro
|
unknown
|
||
|
http://api.diroots.com
|
unknown
|
||
|
http://wixtoolset.org
|
unknown
|
||
|
https://www.thawte.com/cps0/
|
unknown
|
||
|
https://diroots.com/privacy-policy/
|
unknown
|
||
|
https://www.thawte.com/repository0W
|
unknown
|
||
|
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
|
unknown
|
||
|
https://www.advancedinstaller.com
|
unknown
|
||
|
https://api.diroot
|
unknown
|
||
|
http://wixtoolset.org/news/
|
unknown
|
||
|
https://api.diroots.com/api/v1/tracker
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://api.diroots.com
|
unknown
|
There are 6 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
api.diroots.com
|
217.182.69.200
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
217.182.69.200
|
api.diroots.com
|
France
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\rundll32_RASMANCS
|
FileDirectory
|
There are 5 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
A80000
|
heap
|
page read and write
|
||
|
7F018000
|
trusted library allocation
|
page execute and read and write
|
||
|
A85000
|
heap
|
page read and write
|
||
|
46C0000
|
heap
|
page read and write
|
||
|
49E0000
|
trusted library allocation
|
page read and write
|
||
|
4714000
|
trusted library allocation
|
page read and write
|
||
|
6D00000
|
trusted library allocation
|
page execute and read and write
|
||
|
489C000
|
stack
|
page read and write
|
||
|
AEA000
|
heap
|
page read and write
|
||
|
7180000
|
heap
|
page read and write
|
||
|
72BE000
|
stack
|
page read and write
|
||
|
4810000
|
heap
|
page read and write
|
||
|
D2E000
|
stack
|
page read and write
|
||
|
4A1F000
|
trusted library allocation
|
page read and write
|
||
|
B0F000
|
heap
|
page read and write
|
||
|
4713000
|
trusted library allocation
|
page execute and read and write
|
||
|
4A10000
|
trusted library allocation
|
page read and write
|
||
|
7F000000
|
trusted library allocation
|
page execute and read and write
|
||
|
B2B000
|
heap
|
page read and write
|
||
|
6E90000
|
heap
|
page read and write
|
||
|
4720000
|
trusted library allocation
|
page read and write
|
||
|
B80000
|
heap
|
page read and write
|
||
|
6CE0000
|
trusted library allocation
|
page read and write
|
||
|
6D10000
|
trusted library allocation
|
page read and write
|
||
|
4800000
|
trusted library allocation
|
page read and write
|
||
|
4710000
|
trusted library allocation
|
page read and write
|
||
|
6CC3000
|
trusted library allocation
|
page read and write
|
||
|
BAE000
|
heap
|
page read and write
|
||
|
6E90000
|
remote allocation
|
page read and write
|
||
|
6CC0000
|
trusted library allocation
|
page read and write
|
||
|
4A0A000
|
trusted library allocation
|
page read and write
|
||
|
B28000
|
heap
|
page read and write
|
||
|
4A2C000
|
trusted library allocation
|
page read and write
|
||
|
49EB000
|
trusted library allocation
|
page read and write
|
||
|
BA1000
|
heap
|
page read and write
|
||
|
49CD000
|
trusted library allocation
|
page read and write
|
||
|
D6E000
|
stack
|
page read and write
|
||
|
6E2D000
|
stack
|
page read and write
|
||
|
4700000
|
trusted library allocation
|
page read and write
|
||
|
496E000
|
stack
|
page read and write
|
||
|
6DEF000
|
stack
|
page read and write
|
||
|
4724000
|
trusted library allocation
|
page read and write
|
||
|
6CE6000
|
trusted library allocation
|
page execute and read and write
|
||
|
49DD000
|
trusted library allocation
|
page read and write
|
||
|
6E90000
|
remote allocation
|
page read and write
|
||
|
47EE000
|
stack
|
page read and write
|
||
|
48A0000
|
heap
|
page execute and read and write
|
||
|
B1D000
|
heap
|
page read and write
|
||
|
4981000
|
trusted library allocation
|
page read and write
|
||
|
4A30000
|
trusted library allocation
|
page read and write
|
||
|
474B000
|
trusted library allocation
|
page execute and read and write
|
||
|
492E000
|
stack
|
page read and write
|
||
|
49B4000
|
heap
|
page read and write
|
||
|
48EE000
|
stack
|
page read and write
|
||
|
4770000
|
heap
|
page readonly
|
||
|
72FE000
|
stack
|
page read and write
|
||
|
47E2000
|
heap
|
page read and write
|
||
|
B0C000
|
heap
|
page read and write
|
||
|
DE0000
|
heap
|
page read and write
|
||
|
49E5000
|
trusted library allocation
|
page read and write
|
||
|
6E70000
|
trusted library allocation
|
page read and write
|
||
|
5985000
|
trusted library allocation
|
page read and write
|
||
|
49B8000
|
trusted library allocation
|
page read and write
|
||
|
471D000
|
trusted library allocation
|
page execute and read and write
|
||
|
4740000
|
trusted library allocation
|
page read and write
|
||
|
49D1000
|
trusted library allocation
|
page read and write
|
||
|
6CEC000
|
trusted library allocation
|
page execute and read and write
|
||
|
6CE9000
|
trusted library allocation
|
page execute and read and write
|
||
|
4970000
|
heap
|
page read and write
|
||
|
4747000
|
trusted library allocation
|
page execute and read and write
|
||
|
A70000
|
heap
|
page read and write
|
||
|
6CE3000
|
trusted library allocation
|
page read and write
|
||
|
B0D000
|
heap
|
page read and write
|
||
|
A90000
|
heap
|
page read and write
|
||
|
B9A000
|
heap
|
page read and write
|
||
|
B6E000
|
heap
|
page read and write
|
||
|
AE0000
|
heap
|
page read and write
|
||
|
47A0000
|
heap
|
page read and write
|
||
|
49C0000
|
trusted library allocation
|
page read and write
|
||
|
6EA0000
|
heap
|
page execute and read and write
|
||
|
7CB000
|
stack
|
page read and write
|
||
|
47B4000
|
heap
|
page read and write
|
||
|
485E000
|
stack
|
page read and write
|
||
|
DAF000
|
stack
|
page read and write
|
||
|
B77000
|
heap
|
page read and write
|
||
|
47F0000
|
trusted library allocation
|
page execute and read and write
|
||
|
BAA000
|
heap
|
page read and write
|
||
|
BA4000
|
heap
|
page read and write
|
||
|
49EE000
|
trusted library allocation
|
page read and write
|
||
|
6D50000
|
trusted library allocation
|
page read and write
|
||
|
6E6E000
|
stack
|
page read and write
|
||
|
706F000
|
stack
|
page read and write
|
||
|
4760000
|
trusted library allocation
|
page read and write
|
||
|
6E90000
|
remote allocation
|
page read and write
|
||
|
6DAE000
|
stack
|
page read and write
|
||
|
B86000
|
heap
|
page read and write
|
||
|
B06000
|
heap
|
page read and write
|
||
|
712E000
|
stack
|
page read and write
|
||
|
A38000
|
stack
|
page read and write
|
||
|
4742000
|
trusted library allocation
|
page read and write
|
||
|
716F000
|
stack
|
page read and write
|
||
|
6CF0000
|
trusted library allocation
|
page read and write
|
||
|
4788000
|
trusted library allocation
|
page read and write
|
||
|
702E000
|
stack
|
page read and write
|
||
|
B8C000
|
heap
|
page read and write
|
||
|
B8A000
|
heap
|
page read and write
|
||
|
6CD0000
|
trusted library allocation
|
page read and write
|
||
|
5981000
|
trusted library allocation
|
page read and write
|
||
|
CED000
|
stack
|
page read and write
|
There are 99 hidden memdumps, click here to show them.