Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
HQynOvDajU.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {70185088-1D48-4E63-84F8-44D7E665DF81}, Number of Words: 10, Subject: ERROR CODE HG695, Author: ERROR
CODE HG695, Name of Creating Application: ERROR CODE HG695, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
initial sample
|
||
C:\Config.Msi\54f0b2.rbs
|
data
|
dropped
|
||
C:\Windows\Installer\54f0b0.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {70185088-1D48-4E63-84F8-44D7E665DF81}, Number of Words: 10, Subject: ERROR CODE HG695, Author: ERROR
CODE HG695, Name of Creating Application: ERROR CODE HG695, Template: ;1033, Title: Installation Database, Keywords: Installer,
MSI, Database, Number of Pages: 200
|
dropped
|
||
C:\Windows\Installer\MSIF45A.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIF4C8.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIF508.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIF537.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\Installer\MSIF5D5.tmp
|
data
|
dropped
|
||
C:\Windows\Installer\MSIF691.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
C:\Windows\Installer\SourceHash{1VCRSQGU-XBAV-EFS7-H8NN-4L3X5TGCJVVG}
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Installer\inprogressinstallinfo.ipi
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
||
C:\Windows\Temp\~DF04B1D893119BFE12.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF1C8E925A5113323E.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF486BC341343B8C91.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DF508BBE288F04BE4F.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF550D38FA93D6034A.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DF9FB4EA9C0B6B4326.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFA0305780C3D30FFB.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFB6B3193AFCCECFB2.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFCDD95B7C8C016790.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFD2ED720BA744CD55.TMP
|
data
|
dropped
|
||
C:\Windows\Temp\~DFE5EC288DACF80FA7.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
C:\Windows\Temp\~DFFA060A76BAEE7D7F.TMP
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
There are 14 hidden files, click here to show them.
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Windows\System32\msiexec.exe
|
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\HQynOvDajU.msi"
|
||
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 4F2F3C17EF4ECCED9408C6F17580FC16
|
URLs
Name
|
IP
|
Malicious
|
|
---|---|---|---|
https://www.advancedinstaller.com
|
unknown
|
||
http://www.indyproject.org/
|
unknown
|
||
http://94.103.83.221/index.php
|
unknown
|
||
http://94.103.83.221/tiru/maktri.zip
|
unknown
|
||
https://www.thawte.com/cps0/
|
unknown
|
||
https://www.thawte.com/repository0W
|
unknown
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
|
Blob
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
|
Blob
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Config.Msi\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\54f0b2.rbs
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
|
C:\Config.Msi\54f0b2.rbsLow
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\Microsoft\Installer\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG695\ERROR CODE HG695\
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
|
C:\Users\user\AppData\Roaming\ERROR CODE HG695\
|
There are 1 hidden registries, click here to show them.