Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: Setup, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the
logic and data required to install Setup., Template: Intel;1033, Revision Number: {F7CB1EF0-F16A-4CF9-A62C-68ECA8309263},
Create Time/Date: Thu Sep 26 23:57:40 2024, Last Saved Time/Date: Thu Sep 26 23:57:40 2024, Number of Pages: 300, Number of
Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
|
initial sample
|
 |
|
|
C:\Program Files (x86)\Windows NT\Update.png
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
C:\Windows\Installer\MSIFE4A.tmp
|
PE32+ executable (DLL) (console) x86-64, for MS Windows
|
dropped
|
|
|
|
C:\Config.Msi\6ff91a.rbs
|
data
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\7za.exe
|
PE32 executable (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\bin.dat
|
7-zip archive data, version 0.4
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\locale.dat
|
7-zip archive data, version 0.4
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\locale2.dat
|
7-zip archive data, version 0.4
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\locale3.dat
|
7-zip archive data, version 0.3
|
dropped
|
||
|
C:\Program Files (x86)\Windows NT\locale4.dat
|
7-zip archive data, version 0.3
|
dropped
|
||
|
C:\Windows\Installer\6ff919.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: Setup, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the
logic and data required to install Setup., Template: Intel;1033, Revision Number: {F7CB1EF0-F16A-4CF9-A62C-68ECA8309263},
Create Time/Date: Thu Sep 26 23:57:40 2024, Last Saved Time/Date: Thu Sep 26 23:57:40 2024, Number of Pages: 300, Number of
Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
|
dropped
|
||
|
C:\Windows\Installer\6ff91b.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation
Database, Subject: Setup, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the
logic and data required to install Setup., Template: Intel;1033, Revision Number: {F7CB1EF0-F16A-4CF9-A62C-68ECA8309263},
Create Time/Date: Thu Sep 26 23:57:40 2024, Last Saved Time/Date: Thu Sep 26 23:57:40 2024, Number of Pages: 300, Number of
Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
|
dropped
|
||
|
C:\Windows\Installer\MSIFA90.tmp
|
data
|
dropped
|
||
|
C:\Windows\Installer\SourceHash{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\Temp\~DF11970499994F05EB.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF2ED0ACABEAE9FFE6.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF2F758227F79456CC.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF35293D8D487B9D06.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DF41E963A392FA4DE9.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF614E7163061EBF51.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DF6B3438CCA0F4BFE2.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DFA82F1FCF071015FD.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Windows\Temp\~DFA9046B40EB5D5CA2.TMP
|
data
|
modified
|
||
|
C:\Windows\Temp\~DFD6B0118EE67E6473.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DFD775574B48ACDD82.TMP
|
data
|
dropped
|
||
|
C:\Windows\Temp\~DFF34F4CF6AAB40B59.TMP
|
data
|
dropped
|
There are 18 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f.msi"
|
|
|
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
|
|
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\System32\MsiExec.exe -Embedding F56E803D2B6F62C6314054092C86C0FA E Global\MSI0000
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\6ff91a.rbs
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\6ff91a.rbsLow
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ABB06F11D21D129428DDA45BE87C434F
|
3A932B4AF998CA74EA8C94E07CA1C570
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
LocalPackage
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
AuthorizedCDFPrefix
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Comments
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Contact
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
DisplayVersion
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
HelpLink
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
HelpTelephone
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
InstallDate
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
InstallLocation
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
InstallSource
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
ModifyPath
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Publisher
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Readme
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Size
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
EstimatedSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
SystemComponent
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
UninstallString
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
URLInfoAbout
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
URLUpdateInfo
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
VersionMajor
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
VersionMinor
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
WindowsInstaller
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Version
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
Language
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
AuthorizedCDFPrefix
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Comments
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Contact
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
DisplayVersion
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
HelpLink
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
HelpTelephone
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
InstallDate
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
InstallLocation
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
InstallSource
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
ModifyPath
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Publisher
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Readme
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Size
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
EstimatedSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
SystemComponent
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
UninstallString
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
URLInfoAbout
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
URLUpdateInfo
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
VersionMajor
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
VersionMinor
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
WindowsInstaller
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Version
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
Language
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\ABB06F11D21D129428DDA45BE87C434F
|
3A932B4AF998CA74EA8C94E07CA1C570
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\InstallProperties
|
DisplayName
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A4B239A3-899F-47AC-AEC8-490EC71A5C07}
|
DisplayName
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\3A932B4AF998CA74EA8C94E07CA1C570
|
ProductFeature
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\Features
|
ProductFeature
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3A932B4AF998CA74EA8C94E07CA1C570\Patches
|
AllPatches
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
ProductName
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
PackageCode
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
Language
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
Version
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
Assignment
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
AdvertiseFlags
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
InstanceType
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
AuthorizedLUAApp
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
DeploymentFlags
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABB06F11D21D129428DDA45BE87C434F
|
3A932B4AF998CA74EA8C94E07CA1C570
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570\SourceList
|
PackageName
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570\SourceList\Net
|
1
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570\SourceList\Media
|
1
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570
|
Clients
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\3A932B4AF998CA74EA8C94E07CA1C570\SourceList
|
LastUsedSource
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings
|
StringCacheGeneration
|
There are 66 hidden registries, click here to show them.