Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
Uninstall.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\NSISPlugin.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
|
dropped
|
|
|
|
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\System.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\UAC.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\modern-wizard.bmp
|
PC bitmap, Windows 3.x format, 164 x 314 x 24, image size 154490, resolution 2834 x 2834 px/m, cbSize 154544, bits offset
54
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsf2165.tmp\nsDialogs.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsu2089.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\nsz1ED4.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\Uninstall.exe
|
"C:\Users\user\Desktop\Uninstall.exe"
|
|
|
|
C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe
|
"C:\Users\user\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\user\Desktop\
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://weld.unitegenius.com/i?e=vitruvian-installer-uninstall-v0002
|
unknown
|
||
|
http://nsis.sf.net/NSIS_Error
|
unknown
|
||
|
http://nsis.sf.net/NSIS_ErrorError
|
unknown
|
||
|
http://crl.thawte.com/ThawteTimestampingCA.crl0
|
unknown
|
||
|
http://www.linkwizapp.com/uninstall-success
|
unknown
|
||
|
http://ocsp.thawte.com0
|
unknown
|
||
|
http://www.linkwizapp.com/uninstall-successrundll32.exeopenShellExecuteAsSessionUserWithFallback
|
unknown
|
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
18.31.95.13.in-addr.arpa
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
|
PendingFileRenameOperations
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
|
PendingFileRenameOperations
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
247F000
|
stack
|
page read and write
|
||
|
407000
|
unkown
|
page readonly
|
||
|
5C7000
|
heap
|
page read and write
|
||
|
409000
|
unkown
|
page read and write
|
||
|
10005000
|
unkown
|
page readonly
|
||
|
86A000
|
heap
|
page read and write
|
||
|
896000
|
heap
|
page read and write
|
||
|
6AAE000
|
stack
|
page read and write
|
||
|
84E000
|
heap
|
page read and write
|
||
|
570000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
8EF000
|
stack
|
page read and write
|
||
|
52B000
|
unkown
|
page readonly
|
||
|
10000000
|
unkown
|
page readonly
|
||
|
86A000
|
heap
|
page read and write
|
||
|
22FE000
|
stack
|
page read and write
|
||
|
6E5E8000
|
unkown
|
page read and write
|
||
|
231E000
|
stack
|
page read and write
|
||
|
9EF000
|
stack
|
page read and write
|
||
|
237E000
|
stack
|
page read and write
|
||
|
710000
|
heap
|
page read and write
|
||
|
2505000
|
unkown
|
page readonly
|
||
|
896000
|
heap
|
page read and write
|
||
|
57E000
|
heap
|
page read and write
|
||
|
5AB000
|
heap
|
page read and write
|
||
|
41F000
|
unkown
|
page read and write
|
||
|
10001000
|
unkown
|
page execute read
|
||
|
2210000
|
heap
|
page read and write
|
||
|
7D0000
|
heap
|
page read and write
|
||
|
86A000
|
heap
|
page read and write
|
||
|
52B000
|
unkown
|
page readonly
|
||
|
85A000
|
heap
|
page read and write
|
||
|
88A000
|
heap
|
page read and write
|
||
|
296D000
|
heap
|
page read and write
|
||
|
2510000
|
heap
|
page read and write
|
||
|
560000
|
heap
|
page read and write
|
||
|
407000
|
unkown
|
page readonly
|
||
|
840000
|
heap
|
page read and write
|
||
|
282E000
|
heap
|
page read and write
|
||
|
80B000
|
heap
|
page read and write
|
||
|
5AE000
|
heap
|
page read and write
|
||
|
828000
|
heap
|
page read and write
|
||
|
88C000
|
heap
|
page read and write
|
||
|
296B000
|
heap
|
page read and write
|
||
|
6E5A1000
|
unkown
|
page execute read
|
||
|
19A000
|
stack
|
page read and write
|
||
|
98000
|
stack
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
88C000
|
heap
|
page read and write
|
||
|
2804000
|
heap
|
page read and write
|
||
|
52B000
|
unkown
|
page readonly
|
||
|
46F000
|
unkown
|
page read and write
|
||
|
88C000
|
heap
|
page read and write
|
||
|
550000
|
heap
|
page read and write
|
||
|
6D94000
|
unkown
|
page write copy
|
||
|
10004000
|
unkown
|
page read and write
|
||
|
2514000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2835000
|
heap
|
page read and write
|
||
|
877000
|
heap
|
page read and write
|
||
|
24D0000
|
trusted library allocation
|
page read and write
|
||
|
407000
|
unkown
|
page readonly
|
||
|
409000
|
unkown
|
page write copy
|
||
|
416000
|
unkown
|
page read and write
|
||
|
7DE000
|
heap
|
page read and write
|
||
|
2336000
|
heap
|
page read and write
|
||
|
69AC000
|
stack
|
page read and write
|
||
|
856000
|
heap
|
page read and write
|
||
|
877000
|
heap
|
page read and write
|
||
|
2870000
|
heap
|
page read and write
|
||
|
640000
|
heap
|
page read and write
|
||
|
6E5DA000
|
unkown
|
page readonly
|
||
|
21FE000
|
stack
|
page read and write
|
||
|
6AE000
|
stack
|
page read and write
|
||
|
2501000
|
unkown
|
page execute read
|
||
|
401000
|
unkown
|
page execute read
|
||
|
401000
|
unkown
|
page execute read
|
||
|
19A000
|
stack
|
page read and write
|
||
|
27BF000
|
stack
|
page read and write
|
||
|
417000
|
unkown
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
579000
|
heap
|
page read and write
|
||
|
2503000
|
unkown
|
page readonly
|
||
|
630000
|
heap
|
page read and write
|
||
|
635000
|
heap
|
page read and write
|
||
|
5C6000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
413000
|
unkown
|
page read and write
|
||
|
52B000
|
unkown
|
page readonly
|
||
|
2802000
|
heap
|
page read and write
|
||
|
2997000
|
heap
|
page read and write
|
||
|
2500000
|
unkown
|
page readonly
|
||
|
6D90000
|
unkown
|
page readonly
|
||
|
299E000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
7DA000
|
heap
|
page read and write
|
||
|
21A0000
|
heap
|
page read and write
|
||
|
6D91000
|
unkown
|
page execute read
|
||
|
857000
|
heap
|
page read and write
|
||
|
29F8000
|
heap
|
page read and write
|
||
|
6D93000
|
unkown
|
page readonly
|
||
|
877000
|
heap
|
page read and write
|
||
|
26BE000
|
stack
|
page read and write
|
||
|
6E5ED000
|
unkown
|
page readonly
|
||
|
715000
|
heap
|
page read and write
|
||
|
2330000
|
heap
|
page read and write
|
||
|
8AA000
|
heap
|
page read and write
|
||
|
6D00000
|
heap
|
page read and write
|
||
|
9B000
|
stack
|
page read and write
|
||
|
6D97000
|
unkown
|
page readonly
|
||
|
2330000
|
heap
|
page read and write
|
||
|
21A0000
|
heap
|
page read and write
|
||
|
43E000
|
unkown
|
page read and write
|
||
|
409000
|
unkown
|
page read and write
|
||
|
6E5A0000
|
unkown
|
page readonly
|
||
|
43E000
|
unkown
|
page read and write
|
||
|
409000
|
unkown
|
page write copy
|
||
|
6BB0000
|
heap
|
page read and write
|
||
|
407000
|
unkown
|
page readonly
|
||
|
21FE000
|
stack
|
page read and write
|
||
|
6EE000
|
stack
|
page read and write
|
||
|
2860000
|
heap
|
page read and write
|
||
|
852000
|
heap
|
page read and write
|
||
|
550000
|
heap
|
page read and write
|
There are 114 hidden memdumps, click here to show them.