Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
FACT64708.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {99C5E16F-1B9A-4372-8446-788EB651135D}, Number of Words: 10, Subject: window1, Author: window1, Name
of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1033, Comments: window1, Title: Installation Database,
Keywords: Installer, MSI, Database, Number of Pages: 200
|
initial sample
|
||
C:\Windows\Installer\MSI5A28.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI5AF4.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI5B53.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI5BB2.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI5D1B.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json
|
JSON data
|
dropped
|
||
C:\Windows\Installer\3e573a.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {99C5E16F-1B9A-4372-8446-788EB651135D}, Number of Words: 10, Subject: window1, Author: window1, Name
of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1033, Comments: window1, Title: Installation Database,
Keywords: Installer, MSI, Database, Number of Pages: 200
|
dropped
|
||
C:\Windows\Installer\MSI5CBC.tmp
|
data
|
dropped
|
||
C:\Windows\Installer\SourceHash{391D3F83-F57B-4C37-B67D-2C3B478539D3}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
C:\Windows\Temp\~DF0B319199736319C6.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF15E57EF7A6220754.TMP
|
data
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding EC16BF9ACD034E20C79A272C76FEE245
|
||
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\FACT64708.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://ipinfo.io/missingauth
|
unknown
|
||
https://www.advancedinstaller.com
|
unknown
|
||
https://www.thawte.com/cps0/
|
unknown
|
||
https://www.thawte.com/repository0W
|
unknown
|
||
https://ipinfo.io/json
|
34.117.59.81
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
ipinfo.io
|
34.117.59.81
|
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
34.117.59.81
|
ipinfo.io
|
United States
|
||
89.44.9.236
|
unknown
|
Romania
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
|
Owner
|
||
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
|
Sequence
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
27084A4E000
|
heap
|
page read and write
|
||
27084A4C000
|
heap
|
page read and write
|
||
9DC5B7D000
|
stack
|
page read and write
|
||
27084A5B000
|
heap
|
page read and write
|
||
9DC5CF9000
|
stack
|
page read and write
|
||
9DC5C7E000
|
stack
|
page read and write
|
||
27084BF0000
|
heap
|
page read and write
|
||
27084BD0000
|
heap
|
page read and write
|
||
27084A08000
|
heap
|
page read and write
|
||
27084D80000
|
heap
|
page read and write
|
||
27084A4C000
|
heap
|
page read and write
|
||
27084A6C000
|
heap
|
page read and write
|
||
27084D8E000
|
heap
|
page read and write
|
||
27084A44000
|
heap
|
page read and write
|
||
27085880000
|
trusted library allocation
|
page read and write
|
||
27084A10000
|
heap
|
page read and write
|
||
27084C60000
|
trusted library allocation
|
page read and write
|
||
27084980000
|
heap
|
page read and write
|
||
27084D89000
|
heap
|
page read and write
|
||
27084CC0000
|
trusted library allocation
|
page read and write
|
||
27084A00000
|
heap
|
page read and write
|
||
9DC5BF9000
|
stack
|
page read and write
|
||
27084D85000
|
heap
|
page read and write
|
||
27084D90000
|
trusted library allocation
|
page read and write
|
||
27084D20000
|
trusted library allocation
|
page read and write
|
||
27084D00000
|
trusted library allocation
|
page read and write
|
||
9DC57EB000
|
stack
|
page read and write
|
||
27084D30000
|
trusted library allocation
|
page read and write
|
||
27084A5C000
|
heap
|
page read and write
|
||
27084990000
|
trusted library allocation
|
page read and write
|
||
27084A4C000
|
heap
|
page read and write
|
||
27084C50000
|
trusted library allocation
|
page read and write
|
||
27085A90000
|
trusted library allocation
|
page read and write
|
||
27084D10000
|
heap
|
page readonly
|
There are 24 hidden memdumps, click here to show them.