Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
bjV3GBQ5r2.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {F66FE8C9-DAEB-4CA6-865B-077E0B8F6CAF}, Number of Words: 10, Subject: ERROR CODE HG224, Author: ERROR
CODE HG224, Name of Creating Application: ERROR CODE HG224, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
initial sample
|
||
C:\Windows\Installer\MSI721F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
C:\Config.Msi\546bb3.rbs
|
data
|
dropped
|
||
C:\Windows\Installer\546bb1.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {F66FE8C9-DAEB-4CA6-865B-077E0B8F6CAF}, Number of Words: 10, Subject: ERROR CODE HG224, Author: ERROR
CODE HG224, Name of Creating Application: ERROR CODE HG224, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
dropped
|
||
C:\Windows\Installer\MSI6E90.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI6FAA.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI6FF9.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI7029.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSI71D0.tmp
|
data
|
dropped
|
||
C:\Windows\Installer\SourceHash{637ICRSG-SKAC-UHI2-LU64-1Y36FU2LHG9Z}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
C:\Windows\Temp\~DF2325A14DD6D446DF.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF435D4173FDDE1233.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF68DCC9EDB95B744B.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF6DAA908182762267.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF6ED041F70C6FF605.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF71F7C8B5F9D9FFA5.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF7326AB146375DB63.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF877EF5614980297B.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF89C1447B0A4AA6B2.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFA15B18F81DC3F78A.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DFB4CECB36B775B078.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFDB10A7FA3D1A4FA7.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
There are 14 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\bjV3GBQ5r2.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 958C8A6086A8D83C0EF1BEB8D5408F09
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
http://www.indyproject.org/
|
unknown
|
||
http://45.61.149.27/index.php
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
|
Blob
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
|
Blob
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\546bb3.rbs
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\546bb3.rbsLow
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Microsoft\Installer\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG224\ERROR CODE HG224\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG224\
|
There are 1 hidden registries, click here to show them.