Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
dK5DtwHlOm.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Temp\MSI9977.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSI99D6.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIb9e58.LOG
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\shi9909.tmp
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {A14A8F8E-54FE-43B0-84DE-DDD8EBDB97D1}, Number of Words: 0, Subject: EditPro Ai, Author: Restricted
editor savers, Name of Creating Application: EditPro Ai, Template: ;1033, Comments: This installer database contains the logic
and data required to install EditPro Ai., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages:
200
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\decoder.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\holder0.aiph
|
data
|
dropped
|
||
|
C:\Windows\Installer\5b9aaf.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {A14A8F8E-54FE-43B0-84DE-DDD8EBDB97D1}, Number of Words: 0, Subject: EditPro Ai, Author: Restricted
editor savers, Name of Creating Application: EditPro Ai, Template: ;1033, Comments: This installer database contains the logic
and data required to install EditPro Ai., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages:
200
|
dropped
|
||
|
C:\Windows\Installer\MSI9D2F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSI9DCC.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSI9E0C.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSI9E2C.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\dK5DtwHlOm.exe
|
"C:\Users\user\Desktop\dK5DtwHlOm.exe"
|
||
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 9AEE7218D2031C6F2AE76EA651368327 C
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\Restricted editor savers\EditPro Ai 1.131.2\install\9629E8B\Installer.msi"
AI_SETUPEXEPATH=C:\Users\user\Desktop\dK5DtwHlOm.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup
/wintime 1731488655 " AI_EUIMSI=""
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding A37C39DFED73779FFC80EA38DF9643CA
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://html4/loose.dtd
|
unknown
|
||
|
https://www.advancedinstaller.com
|
unknown
|
||
|
https://www.thawte.com/cps0/
|
unknown
|
||
|
http://.css
|
unknown
|
||
|
http://.jpg
|
unknown
|
||
|
https://www.thawte.com/repository0W
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
4326000
|
heap
|
page read and write
|
||
|
1248000
|
heap
|
page read and write
|
||
|
1299000
|
heap
|
page read and write
|
||
|
1223000
|
heap
|
page read and write
|
||
|
433F000
|
heap
|
page read and write
|
||
|
4323000
|
heap
|
page read and write
|
||
|
4325000
|
heap
|
page read and write
|
||
|
1293000
|
heap
|
page read and write
|
||
|
C83000
|
unkown
|
page write copy
|
||
|
1224000
|
heap
|
page read and write
|
||
|
1212000
|
heap
|
page read and write
|
||
|
4344000
|
heap
|
page read and write
|
||
|
434E000
|
heap
|
page read and write
|
||
|
4301000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
432C000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
11CB000
|
heap
|
page read and write
|
||
|
4344000
|
heap
|
page read and write
|
||
|
429F000
|
stack
|
page read and write
|
||
|
126A000
|
heap
|
page read and write
|
||
|
BF9000
|
unkown
|
page readonly
|
||
|
120F000
|
heap
|
page read and write
|
||
|
BF9000
|
unkown
|
page readonly
|
||
|
434E000
|
heap
|
page read and write
|
||
|
124C000
|
heap
|
page read and write
|
||
|
125A000
|
heap
|
page read and write
|
||
|
4331000
|
heap
|
page read and write
|
||
|
3020000
|
heap
|
page read and write
|
||
|
1254000
|
heap
|
page read and write
|
||
|
433F000
|
heap
|
page read and write
|
||
|
124C000
|
heap
|
page read and write
|
||
|
1215000
|
heap
|
page read and write
|
||
|
9E0000
|
unkown
|
page readonly
|
||
|
2DA0000
|
heap
|
page read and write
|
||
|
4341000
|
heap
|
page read and write
|
||
|
9E1000
|
unkown
|
page execute read
|
||
|
1277000
|
heap
|
page read and write
|
||
|
1224000
|
heap
|
page read and write
|
||
|
124C000
|
heap
|
page read and write
|
||
|
419E000
|
stack
|
page read and write
|
||
|
123D000
|
heap
|
page read and write
|
||
|
1252000
|
heap
|
page read and write
|
||
|
434C000
|
heap
|
page read and write
|
||
|
2FFE000
|
stack
|
page read and write
|
||
|
1218000
|
heap
|
page read and write
|
||
|
5BAE000
|
stack
|
page read and write
|
||
|
58F0000
|
direct allocation
|
page read and write
|
||
|
2EF4000
|
heap
|
page read and write
|
||
|
2FAE000
|
stack
|
page read and write
|
||
|
1289000
|
heap
|
page read and write
|
||
|
4342000
|
heap
|
page read and write
|
||
|
129C000
|
heap
|
page read and write
|
||
|
434E000
|
heap
|
page read and write
|
||
|
3960000
|
trusted library allocation
|
page read and write
|
||
|
1286000
|
heap
|
page read and write
|
||
|
1223000
|
heap
|
page read and write
|
||
|
434C000
|
heap
|
page read and write
|
||
|
1247000
|
heap
|
page read and write
|
||
|
4323000
|
heap
|
page read and write
|
||
|
124A000
|
heap
|
page read and write
|
||
|
9E0000
|
unkown
|
page readonly
|
||
|
430B000
|
heap
|
page read and write
|
||
|
1242000
|
heap
|
page read and write
|
||
|
1268000
|
heap
|
page read and write
|
||
|
C7F000
|
unkown
|
page read and write
|
||
|
1251000
|
heap
|
page read and write
|
||
|
2DEE000
|
stack
|
page read and write
|
||
|
1266000
|
heap
|
page read and write
|
||
|
1296000
|
heap
|
page read and write
|
||
|
1243000
|
heap
|
page read and write
|
||
|
1210000
|
heap
|
page read and write
|
||
|
1217000
|
heap
|
page read and write
|
||
|
123A000
|
heap
|
page read and write
|
||
|
1269000
|
heap
|
page read and write
|
||
|
C7F000
|
unkown
|
page write copy
|
||
|
C88000
|
unkown
|
page readonly
|
||
|
122C000
|
heap
|
page read and write
|
||
|
9E1000
|
unkown
|
page execute read
|
||
|
11E8000
|
heap
|
page read and write
|
||
|
434C000
|
heap
|
page read and write
|
||
|
4170000
|
direct allocation
|
page read and write
|
||
|
4313000
|
heap
|
page read and write
|
||
|
4344000
|
heap
|
page read and write
|
||
|
4597000
|
direct allocation
|
page read and write
|
||
|
6860000
|
heap
|
page read and write
|
||
|
4356000
|
heap
|
page read and write
|
||
|
1297000
|
heap
|
page read and write
|
||
|
2D70000
|
heap
|
page read and write
|
||
|
1204000
|
heap
|
page read and write
|
||
|
11CE000
|
heap
|
page read and write
|
||
|
4333000
|
heap
|
page read and write
|
||
|
C84000
|
unkown
|
page write copy
|
||
|
1246000
|
heap
|
page read and write
|
||
|
1225000
|
heap
|
page read and write
|
||
|
121C000
|
heap
|
page read and write
|
||
|
120A000
|
heap
|
page read and write
|
||
|
1259000
|
heap
|
page read and write
|
||
|
123F000
|
heap
|
page read and write
|
||
|
1275000
|
heap
|
page read and write
|
||
|
2EF0000
|
heap
|
page read and write
|
||
|
1204000
|
heap
|
page read and write
|
||
|
1293000
|
heap
|
page read and write
|
||
|
434D000
|
heap
|
page read and write
|
||
|
1210000
|
heap
|
page read and write
|
||
|
1233000
|
heap
|
page read and write
|
||
|
4331000
|
heap
|
page read and write
|
||
|
10FB000
|
stack
|
page read and write
|
||
|
1211000
|
heap
|
page read and write
|
||
|
4329000
|
heap
|
page read and write
|
||
|
11E8000
|
heap
|
page read and write
|
||
|
115D000
|
stack
|
page read and write
|
||
|
DE5000
|
heap
|
page read and write
|
||
|
4330000
|
heap
|
page read and write
|
||
|
4312000
|
heap
|
page read and write
|
||
|
1267000
|
heap
|
page read and write
|
||
|
4341000
|
heap
|
page read and write
|
||
|
1286000
|
heap
|
page read and write
|
||
|
1217000
|
heap
|
page read and write
|
||
|
1212000
|
heap
|
page read and write
|
||
|
1282000
|
heap
|
page read and write
|
||
|
4400000
|
direct allocation
|
page read and write
|
||
|
C88000
|
unkown
|
page readonly
|
||
|
1235000
|
heap
|
page read and write
|
||
|
1236000
|
heap
|
page read and write
|
||
|
1293000
|
heap
|
page read and write
|
||
|
124B000
|
heap
|
page read and write
|
||
|
4323000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
4353000
|
heap
|
page read and write
|
||
|
2D60000
|
heap
|
page read and write
|
||
|
1252000
|
heap
|
page read and write
|
||
|
124E000
|
heap
|
page read and write
|
||
|
38D0000
|
heap
|
page read and write
|
||
|
4308000
|
heap
|
page read and write
|
||
|
37DF000
|
stack
|
page read and write
|
||
|
431F000
|
heap
|
page read and write
|
||
|
120F000
|
heap
|
page read and write
|
||
|
DE0000
|
heap
|
page read and write
|
||
|
1210000
|
heap
|
page read and write
|
||
|
5F9E000
|
stack
|
page read and write
|
||
|
1287000
|
heap
|
page read and write
|
||
|
11EC000
|
heap
|
page read and write
|
||
|
C85000
|
unkown
|
page read and write
|
||
|
609F000
|
stack
|
page read and write
|
||
|
1275000
|
heap
|
page read and write
|
||
|
123F000
|
heap
|
page read and write
|
||
|
1223000
|
heap
|
page read and write
|
||
|
366F000
|
stack
|
page read and write
|
||
|
434E000
|
heap
|
page read and write
|
||
|
124F000
|
heap
|
page read and write
|
||
|
129C000
|
heap
|
page read and write
|
||
|
1223000
|
heap
|
page read and write
|
||
|
125B000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
4307000
|
heap
|
page read and write
|
||
|
125C000
|
heap
|
page read and write
|
||
|
1275000
|
heap
|
page read and write
|
||
|
1262000
|
heap
|
page read and write
|
||
|
2F50000
|
heap
|
page read and write
|
||
|
4356000
|
heap
|
page read and write
|
||
|
4304000
|
heap
|
page read and write
|
||
|
4300000
|
heap
|
page read and write
|
||
|
125F000
|
heap
|
page read and write
|
||
|
1293000
|
heap
|
page read and write
|
||
|
4324000
|
heap
|
page read and write
|
||
|
356E000
|
stack
|
page read and write
|
||
|
2EEE000
|
stack
|
page read and write
|
||
|
1216000
|
heap
|
page read and write
|
||
|
11A0000
|
heap
|
page read and write
|
||
|
1266000
|
heap
|
page read and write
|
||
|
2DAB000
|
heap
|
page read and write
|
||
|
58F1000
|
heap
|
page read and write
|
||
|
1275000
|
heap
|
page read and write
|
||
|
432C000
|
heap
|
page read and write
|
||
|
1275000
|
heap
|
page read and write
|
||
|
1110000
|
heap
|
page read and write
|
||
|
156E000
|
stack
|
page read and write
|
||
|
1273000
|
heap
|
page read and write
|
||
|
5CAE000
|
stack
|
page read and write
|
||
|
4345000
|
heap
|
page read and write
|
||
|
1293000
|
heap
|
page read and write
|
||
|
4306000
|
heap
|
page read and write
|
||
|
125D000
|
heap
|
page read and write
|
||
|
2DA5000
|
heap
|
page read and write
|
||
|
1266000
|
heap
|
page read and write
|
||
|
146F000
|
stack
|
page read and write
|
||
|
11EC000
|
heap
|
page read and write
|
||
|
4330000
|
heap
|
page read and write
|
||
|
1238000
|
heap
|
page read and write
|
||
|
1257000
|
heap
|
page read and write
|
||
|
4356000
|
heap
|
page read and write
|
||
|
11C3000
|
heap
|
page read and write
|
||
|
4328000
|
heap
|
page read and write
|
||
|
1236000
|
heap
|
page read and write
|
||
|
126C000
|
heap
|
page read and write
|
||
|
11C2000
|
heap
|
page read and write
|
||
|
1229000
|
heap
|
page read and write
|
||
|
432D000
|
heap
|
page read and write
|
||
|
122D000
|
heap
|
page read and write
|
||
|
1227000
|
heap
|
page read and write
|
||
|
D8A000
|
stack
|
page read and write
|
||
|
119E000
|
stack
|
page read and write
|
||
|
4301000
|
heap
|
page read and write
|
||
|
1272000
|
heap
|
page read and write
|
||
|
1100000
|
heap
|
page read and write
|
||
|
1243000
|
heap
|
page read and write
|
||
|
36DE000
|
stack
|
page read and write
|
||
|
4326000
|
heap
|
page read and write
|
||
|
1243000
|
heap
|
page read and write
|
||
|
4351000
|
heap
|
page read and write
|
There are 202 hidden memdumps, click here to show them.