IOC Report
app__v7.3.5_.msi

loading gif

Files

File Path
Type
Category
Malicious
app__v7.3.5_.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EE3A39B9-5A50-459E-950A-80F951511BDC}, Number of Words: 10, Subject: NoqotApp, Author: Haye Cosq, Name of Creating Application: NoqotApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install NoqotApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Sep 30 16:03:45 2024, Last Saved Time/Date: Mon Sep 30 16:03:45 2024, Last Printed: Mon Sep 30 16:03:45 2024, Number of Pages: 450
initial sample
 malicious
C:\Config.Msi\480497.rbs
data
modified
C:\Users\user\AppData\Local\Temp\MSI92e8e.LOG
Unicode text, UTF-16, little-endian text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-add-remove.svg
SVG Scalable Vector Graphics image
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-custom.svg
SVG Scalable Vector Graphics image
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-remove.svg
SVG Scalable Vector Graphics image
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-repair.svg
SVG Scalable Vector Graphics image
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box.svg
SVG Scalable Vector Graphics image
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\client.png
PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\client_server.png
PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\common.js
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\customize.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\diskcost.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\exit.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\fatalerror.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\fileinuse.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\folder.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\jquery-1.3.2.js
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\maintwelcome.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\maintype.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\outofdisk.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\outofrbdisk.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\prepare.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\progress.html
HTML document, Unicode text, UTF-8 (with BOM) text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\progress\progressbar.css
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\progress\progressbar.js
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\resume.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\rmfiles.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\server.png
PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\setuptype.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\style.css
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\userexit.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\varstyle.css
ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\verifyready.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\verifyremove.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\verifyrepair.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\welcome.html
HTML document, ASCII text
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\avsfaq.rar
ASCII text, with very long lines (65536), with no line terminators
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\classes.jsa
data
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\classes_nocoops.jsa
data
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.naming.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.net.http.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.prefs.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.rmi.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.scripting.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.se.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.security.jgss.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.security.sasl.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.smartcardio.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\java.sql.jmod
Java jmod module version 1.0
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\jvm.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\trup_si.rar
RAR archive data, v5
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-profile-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-rtlsupport-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-string-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-2-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-sysinfo-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-timezone-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-util-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-conio-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-convert-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-environment-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-filesystem-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-heap-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-locale-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-math-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-multibyte-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-private-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-process-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-runtime-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-stdio-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-string-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-time-l1-1-0.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\chrome_elf.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\d3dcompiler_47.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\bash.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\git.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\sh.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git-gui.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\gitk.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\scalar.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-bash.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-cmd.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\guirq.rar
RAR archive data, v5
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libEGL.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libGLESv2.dll
PE32+ executable (DLL) (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\node.dll
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit-updater.exe
PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.exe
PE32+ executable (GUI) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.launcher
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.lnk
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Apr 22 14:09:26 2024, mtime=Tue Oct 1 12:52:40 2024, atime=Mon Apr 22 14:09:26 2024, length=460144, window=hide
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.vmoptions
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgitc.exe
PE32+ executable (console) x86-64, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Microsoft\Installer\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\icon_33.exe
MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
dropped
C:\Users\user\AppData\Roaming\Microsoft\Installer\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\icon_35.exe
MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
dropped
C:\Windows\Installer\480495.msi
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EE3A39B9-5A50-459E-950A-80F951511BDC}, Number of Words: 10, Subject: NoqotApp, Author: Haye Cosq, Name of Creating Application: NoqotApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install NoqotApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Sep 30 16:03:45 2024, Last Saved Time/Date: Mon Sep 30 16:03:45 2024, Last Printed: Mon Sep 30 16:03:45 2024, Number of Pages: 450
dropped
C:\Windows\Installer\MSI2F4.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI333.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSI9AC.tmp
data
dropped
C:\Windows\Installer\MSIAA0.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSIAF.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSIC95.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSICD5.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSICF5.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSID34.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSID93.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSIDD3.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\MSIDF.tmp
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Windows\Installer\SourceHash{3E28EEFE-5291-43E1-AA61-E4D35B611491}
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Installer\inprogressinstallinfo.ipi
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
dropped
C:\Windows\Temp\~DF9C0307B954F74735.TMP
data
dropped
C:\Windows\Temp\~DFB7CA0E11B73C0D9E.TMP
data
dropped
C:\Windows\Temp\~DFCEC44332DD70227F.TMP
Composite Document File V2 Document, Cannot read section info
dropped
C:\Windows\Temp\~DFD90567AE1E5EAFEF.TMP
data
dropped
There are 109 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\app__v7.3.5_.msi"
C:\Windows\System32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 01297D2E2EDE3162BB91A5AD2CF048CC

URLs

Name
IP
Malicious
https://check-key.com/licenseUser.php
104.21.1.209
 malicious
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
unknown
https://check-key.com/licenseUser.phpDoAppSearchExAI_SET_RESUMEAI_SET_INSTALLSendCollectedDataAI_Ext
unknown
https://sectigo.com/CPS0
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
unknown
http://ocsp.sectigo.com0
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
unknown
http://docs.jquery.com/License
unknown
http://sizzlejs.com/
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
unknown
http://https:///true1...
unknown
http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html
unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
unknown
http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
unknown
http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
unknown
http://javascript.nwbox.com/IEContentLoaded/
unknown
http://jquery.com/
unknown
There are 9 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
check-key.com
104.21.1.209
 malicious

IPs

IP
Domain
Country
Malicious
104.21.1.209
check-key.com
United States
malicious

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Owner
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
SessionHash
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Sequence
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\480497.rbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\480497.rbsLow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Microsoft\Installer\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\61A469CFD9BAFEA40A993A392563EBD4
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\296D0B16CDD8D824A867B2B957512C71
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\ECA8285CB8CB3BF49A8AA9E2B5D1D342
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\B7FC879F61A5B7D4CA4DF936DEF5658A
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\80CF82D352D1C08478860F9CE5A6D934
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\A50730CC4FA26A24C92BEDDA7936E61A
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\2D1033F980F58D941AFD32E345E6F9B4
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\07127436A8A2F3849AC27115146D6E1C
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\E12E84E2FECEEB2498EE976A78E2DF2E
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\C33BBCCA5F3391247B77EF8553247CE8
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5DCC38DE69E57F34DB085988751E2C9A
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\BA42363B1DA39E541BEDDFE547025E75
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\1A91A2D4E5D12464BA4D9FAD99E2C7BB
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5DE3D7E0B010CC04D935638594AF2C40
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\327A26A4846FF9946A0B8DDA68C6B303
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\C6519B46E148DF64886E6FEB8E54C3F5
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\3C4E0B5D0D1184940A4ECF60D6FEF8ED
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\56CD3A7951908384680301953D0A9A47
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\75051ABF07C321C44A33BE1B8F60E876
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\2712BA7C8D41F284480372E0B42A012F
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\36A38309C2734B448AEDD72491916196
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\52885984284E1E24197775A1540D88C6
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\3EFB0612225C0B74DB59C281F05C2FAD
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\B810A0A35B283FA4E8EDEA08C64B6CF9
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\4320B1324C9CF5040B8DDAB38C1A3820
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\BEF1F3EE8EA48B143BD98E302ABB3A56
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\B1381675DF6340E45A88371FA62DCDF0
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\D115FF682EA3CE444A542A5296874F21
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5C41BC78887B05E4F8360D98F1442D8B
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\730EE675F14035F4EAD8129B0E824ADE
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\9653529A7F2F1B84A9C20121815B9E8A
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\1E556F853F74AB0448BA87E1E8B8D21F
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\47D83DAD26EE98B4BBAA45A4E9B0C29A
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\9810FA074A600B24981ED0B57C92A6AC
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\1312DA5FA69A2F641BA7B4F9A58E568C
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5AD9F469363667649B1B246BF92F88A2
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F5C22E98068626F49A37E7974627C2DC
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\58E20722EF4DA27459695A9484060EEB
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\4F232344672793B43816B7239E608665
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\CD64119DBC54D99448841D90395DA357
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\008FBBA8EB3DEF24287301A00E5D2139
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F74401AE1915A334B947DB482D492FDB
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\132B359E5491B7449809CA9715284D85
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\5BF9386472632B74D982D7260F9068B1
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F5DA669D27E7D294A8504105E7AB5487
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\8969A7B99B1FBC2478428E635041A998
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F7A9B6B94FBF7C046A1BB3F761C76731
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\DB198804C46406544A552DEDE9D9A583
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\D4C1238CEFE72EA4AA2AFBEAF118043D
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\ACB788C7FEF480542B2FA54206D6EC45
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\EBB41B9A5A377D14D8627A91AC55B490
EFEE82E319251E34AA164E3DB5164119
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\user\AppData\Roaming\Microsoft\Installer\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\
HKEY_CURRENT_USER\SOFTWARE\Haye Cosq\{B636E124-5B72-4CF7-9CFF-A56F7D601257}
LanguageIdent
HKEY_CURRENT_USER\SOFTWARE\Caphyon\Advanced Installer\Prereqs\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\6.4.3
C4FE6FD5B7C4D07B3A313E754A9A6A8
HKEY_CURRENT_USER\SOFTWARE\Haye Cosq\NoqotApp
Version
HKEY_CURRENT_USER\SOFTWARE\Haye Cosq\NoqotApp
Path
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
JITDebug
There are 60 hidden registries, click here to show them.