Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
2c6HNWVywp.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Temp\MSIFB63.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIFC10.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\MSIff69.LOG
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\shiFAD5.tmp
|
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {3D2F3062-A70B-445E-8CE0-4683179903E0}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD,
Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required
to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\decoder.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\holder0.aiph
|
data
|
dropped
|
||
|
C:\Windows\Installer\50fd66.msi
|
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44
2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page:
1252, Revision Number: {3D2F3062-A70B-445E-8CE0-4683179903E0}, Number of Words: 0, Subject: ConsoleHQ, Author: ConsolHQ LTD,
Name of Creating Application: ConsoleHQ, Template: ;1033, Comments: This installer database contains the logic and data required
to install ConsoleHQ., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
|
dropped
|
||
|
C:\Windows\Installer\MSIFE6F.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSIFECE.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSIFEFE.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Windows\Installer\MSIFF2E.tmp
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
modified
|
||
|
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
|
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
|
dropped
|
There are 4 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\2c6HNWVywp.exe
|
"C:\Users\user\Desktop\2c6HNWVywp.exe"
|
||
|
C:\Windows\System32\msiexec.exe
|
C:\Windows\system32\msiexec.exe /V
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding C17C6E88C2AC26D77232308596BFC404 C
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
"C:\Windows\system32\msiexec.exe" /i "C:\Users\user\AppData\Roaming\ConsolHQ LTD\ConsoleHQ 1.12.3\install\52455D3\Installer.msi"
AI_SETUPEXEPATH=C:\Users\user\Desktop\2c6HNWVywp.exe SETUPEXEDIR=C:\Users\user\Desktop\ EXE_CMD_LINE="/exenoupdates /forcecleanup
/wintime 1731488998 " AI_EUIMSI=""
|
||
|
C:\Windows\SysWOW64\msiexec.exe
|
C:\Windows\syswow64\MsiExec.exe -Embedding 48383DF6A2E73543A85DB9345F606A15
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
|
unknown
|
||
|
http://html4/loose.dtd
|
unknown
|
||
|
https://www.advancedinstaller.com
|
unknown
|
||
|
https://www.thawte.com/cps0/
|
unknown
|
||
|
http://.css
|
unknown
|
||
|
http://.jpg
|
unknown
|
||
|
https://www.thawte.com/repository0W
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Owner
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
SessionHash
|
||
|
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
|
Sequence
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
566000
|
unkown
|
page readonly
|
||
|
37E0000
|
trusted library allocation
|
page read and write
|
||
|
64DD000
|
heap
|
page read and write
|
||
|
148C000
|
heap
|
page read and write
|
||
|
1492000
|
heap
|
page read and write
|
||
|
1442000
|
heap
|
page read and write
|
||
|
13A0000
|
heap
|
page read and write
|
||
|
1437000
|
heap
|
page read and write
|
||
|
1270000
|
heap
|
page read and write
|
||
|
1435000
|
heap
|
page read and write
|
||
|
13EB000
|
heap
|
page read and write
|
||
|
1453000
|
heap
|
page read and write
|
||
|
144A000
|
heap
|
page read and write
|
||
|
1471000
|
heap
|
page read and write
|
||
|
1423000
|
heap
|
page read and write
|
||
|
64C1000
|
heap
|
page read and write
|
||
|
1466000
|
heap
|
page read and write
|
||
|
1295000
|
heap
|
page read and write
|
||
|
DB0000
|
heap
|
page read and write
|
||
|
124E000
|
stack
|
page read and write
|
||
|
1459000
|
heap
|
page read and write
|
||
|
1461000
|
heap
|
page read and write
|
||
|
1423000
|
heap
|
page read and write
|
||
|
64EC000
|
heap
|
page read and write
|
||
|
64E0000
|
heap
|
page read and write
|
||
|
13EB000
|
heap
|
page read and write
|
||
|
1495000
|
heap
|
page read and write
|
||
|
1492000
|
heap
|
page read and write
|
||
|
146E000
|
heap
|
page read and write
|
||
|
1430000
|
heap
|
page read and write
|
||
|
64D6000
|
heap
|
page read and write
|
||
|
145B000
|
heap
|
page read and write
|
||
|
6502000
|
heap
|
page read and write
|
||
|
5E8F000
|
stack
|
page read and write
|
||
|
1280000
|
heap
|
page read and write
|
||
|
1478000
|
heap
|
page read and write
|
||
|
13C3000
|
heap
|
page read and write
|
||
|
13EF000
|
heap
|
page read and write
|
||
|
1440000
|
heap
|
page read and write
|
||
|
2A0000
|
unkown
|
page readonly
|
||
|
64E1000
|
heap
|
page read and write
|
||
|
1495000
|
heap
|
page read and write
|
||
|
13CD000
|
heap
|
page read and write
|
||
|
64BC000
|
heap
|
page read and write
|
||
|
13C2000
|
heap
|
page read and write
|
||
|
1486000
|
heap
|
page read and write
|
||
|
10FB000
|
stack
|
page read and write
|
||
|
1462000
|
heap
|
page read and write
|
||
|
64D5000
|
heap
|
page read and write
|
||
|
5777000
|
heap
|
page read and write
|
||
|
6501000
|
heap
|
page read and write
|
||
|
64D1000
|
heap
|
page read and write
|
||
|
6500000
|
heap
|
page read and write
|
||
|
149B000
|
heap
|
page read and write
|
||
|
1471000
|
heap
|
page read and write
|
||
|
64CD000
|
heap
|
page read and write
|
||
|
1424000
|
heap
|
page read and write
|
||
|
148B000
|
heap
|
page read and write
|
||
|
1458000
|
heap
|
page read and write
|
||
|
42B0000
|
heap
|
page read and write
|
||
|
1475000
|
heap
|
page read and write
|
||
|
1467000
|
heap
|
page read and write
|
||
|
1431000
|
heap
|
page read and write
|
||
|
142D000
|
heap
|
page read and write
|
||
|
64DC000
|
heap
|
page read and write
|
||
|
418F000
|
heap
|
page read and write
|
||
|
5771000
|
heap
|
page read and write
|
||
|
6500000
|
heap
|
page read and write
|
||
|
64E0000
|
heap
|
page read and write
|
||
|
64B7000
|
heap
|
page read and write
|
||
|
2F04000
|
heap
|
page read and write
|
||
|
144F000
|
heap
|
page read and write
|
||
|
1423000
|
heap
|
page read and write
|
||
|
1467000
|
heap
|
page read and write
|
||
|
64E0000
|
heap
|
page read and write
|
||
|
13CE000
|
heap
|
page read and write
|
||
|
13EF000
|
heap
|
page read and write
|
||
|
4B8000
|
unkown
|
page readonly
|
||
|
1404000
|
heap
|
page read and write
|
||
|
365F000
|
stack
|
page read and write
|
||
|
442E000
|
stack
|
page read and write
|
||
|
64DC000
|
heap
|
page read and write
|
||
|
13EF000
|
heap
|
page read and write
|
||
|
3FFE000
|
heap
|
page read and write
|
||
|
1492000
|
heap
|
page read and write
|
||
|
64EC000
|
heap
|
page read and write
|
||
|
1445000
|
heap
|
page read and write
|
||
|
1419000
|
heap
|
page read and write
|
||
|
2F4E000
|
stack
|
page read and write
|
||
|
1423000
|
heap
|
page read and write
|
||
|
146D000
|
heap
|
page read and write
|
||
|
1440000
|
heap
|
page read and write
|
||
|
2A1000
|
unkown
|
page execute read
|
||
|
1429000
|
heap
|
page read and write
|
||
|
64B3000
|
heap
|
page read and write
|
||
|
120E000
|
stack
|
page read and write
|
||
|
2DEF000
|
stack
|
page read and write
|
||
|
2CB0000
|
heap
|
page read and write
|
||
|
1453000
|
heap
|
page read and write
|
||
|
64D3000
|
heap
|
page read and write
|
||
|
64EC000
|
heap
|
page read and write
|
||
|
543000
|
unkown
|
page write copy
|
||
|
547000
|
unkown
|
page readonly
|
||
|
64CF000
|
heap
|
page read and write
|
||
|
1453000
|
heap
|
page read and write
|
||
|
2F00000
|
heap
|
page read and write
|
||
|
64EC000
|
heap
|
page read and write
|
||
|
13EB000
|
heap
|
page read and write
|
||
|
64DD000
|
heap
|
page read and write
|
||
|
44D0000
|
heap
|
page read and write
|
||
|
1495000
|
heap
|
page read and write
|
||
|
1495000
|
heap
|
page read and write
|
||
|
544000
|
unkown
|
page read and write
|
||
|
64C3000
|
heap
|
page read and write
|
||
|
64B0000
|
heap
|
page read and write
|
||
|
2CEB000
|
heap
|
page read and write
|
||
|
1453000
|
heap
|
page read and write
|
||
|
64B1000
|
heap
|
page read and write
|
||
|
64DD000
|
heap
|
page read and write
|
||
|
1454000
|
heap
|
page read and write
|
||
|
1492000
|
heap
|
page read and write
|
||
|
1485000
|
heap
|
page read and write
|
||
|
64BF000
|
heap
|
page read and write
|
||
|
2A1000
|
unkown
|
page execute read
|
||
|
139F000
|
stack
|
page read and write
|
||
|
3750000
|
heap
|
page read and write
|
||
|
146D000
|
heap
|
page read and write
|
||
|
33ED000
|
stack
|
page read and write
|
||
|
34EE000
|
stack
|
page read and write
|
||
|
355E000
|
stack
|
page read and write
|
||
|
411F000
|
stack
|
page read and write
|
||
|
1404000
|
heap
|
page read and write
|
||
|
547000
|
unkown
|
page readonly
|
||
|
401E000
|
stack
|
page read and write
|
||
|
13EB000
|
heap
|
page read and write
|
||
|
53E000
|
unkown
|
page write copy
|
||
|
64B8000
|
heap
|
page read and write
|
||
|
64EC000
|
heap
|
page read and write
|
||
|
1456000
|
heap
|
page read and write
|
||
|
1453000
|
heap
|
page read and write
|
||
|
1426000
|
heap
|
page read and write
|
||
|
142C000
|
heap
|
page read and write
|
||
|
4B8000
|
unkown
|
page readonly
|
||
|
64CF000
|
heap
|
page read and write
|
||
|
1495000
|
heap
|
page read and write
|
||
|
2CE0000
|
heap
|
page read and write
|
||
|
542000
|
unkown
|
page write copy
|
||
|
64DD000
|
heap
|
page read and write
|
||
|
1472000
|
heap
|
page read and write
|
||
|
143C000
|
heap
|
page read and write
|
||
|
304E000
|
stack
|
page read and write
|
||
|
64C6000
|
heap
|
page read and write
|
||
|
3FFE000
|
heap
|
page read and write
|
||
|
64E0000
|
heap
|
page read and write
|
||
|
42E5000
|
heap
|
page read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
148C000
|
heap
|
page read and write
|
||
|
2A0000
|
unkown
|
page readonly
|
||
|
1429000
|
heap
|
page read and write
|
||
|
1499000
|
heap
|
page read and write
|
||
|
53E000
|
unkown
|
page read and write
|
||
|
6500000
|
heap
|
page read and write
|
||
|
64DF000
|
heap
|
page read and write
|
||
|
64D9000
|
heap
|
page read and write
|
||
|
D49000
|
stack
|
page read and write
|
||
|
2CE5000
|
heap
|
page read and write
|
||
|
1446000
|
heap
|
page read and write
|
||
|
64B6000
|
heap
|
page read and write
|
||
|
64D3000
|
heap
|
page read and write
|
||
|
13EF000
|
heap
|
page read and write
|
||
|
DC0000
|
heap
|
page read and write
|
||
|
147B000
|
heap
|
page read and write
|
||
|
64DD000
|
heap
|
page read and write
|
||
|
1444000
|
heap
|
page read and write
|
||
|
3060000
|
heap
|
page read and write
|
||
|
1449000
|
heap
|
page read and write
|
||
|
1424000
|
heap
|
page read and write
|
||
|
13CA000
|
heap
|
page read and write
|
||
|
1410000
|
heap
|
page read and write
|
||
|
1432000
|
heap
|
page read and write
|
||
|
1473000
|
heap
|
page read and write
|
||
|
566000
|
unkown
|
page readonly
|
||
|
1404000
|
heap
|
page read and write
|
||
|
140A000
|
heap
|
page read and write
|
||
|
1404000
|
heap
|
page read and write
|
||
|
1460000
|
heap
|
page read and write
|
There are 176 hidden memdumps, click here to show them.