Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\ECGHJJEHDHCA\BFCGDA
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\BGDGHJ
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\DBKKFC
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8,
version-valid-for 4
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\EBGDHJ
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8,
version-valid-for 7
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\FBKECF
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\HJJKFB
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\IDAEHC
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\ECGHJJEHDHCA\JEHIID
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie
0x36, schema 4, UTF-8, version-valid-for 8
|
modified
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
|
Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks,
0x1 compression
|
dropped
|
||
|
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\sqls[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
There are 2 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\file.exe
|
"C:\Users\user\Desktop\file.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://t.me/r8z0l
|
149.154.167.99
|
|
|
|
https://steamcommunity.com/profiles/76561199698764354
|
|
||
|
https://116.202.190.18/
|
unknown
|
||
|
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
|
https://116.202.190.18:5432/softokn3.dllP
|
unknown
|
||
|
https://duckduckgo.com/ac/?q=
|
unknown
|
||
|
https://116.202.190.18:5432l
|
unknown
|
||
|
https://web.telegram.org
|
unknown
|
||
|
https://116.202.190.18:5432/msvcp140.dlldge
|
unknown
|
||
|
http://ocsp.entrust.net03
|
unknown
|
||
|
http://ocsp.entrust.net02
|
unknown
|
||
|
https://116.202.190.18:5432/softokn3.dll
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dllIQ=E
|
unknown
|
||
|
https://116.202.190.18:5432/freebl3.dllEdge
|
unknown
|
||
|
https://116.202.190.18:5432/freebl3.dlla
|
unknown
|
||
|
https://116.202.190.18:5432Content-Disposition:
|
unknown
|
||
|
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
|
https://116.202.190.18:5432/sqls.dll
|
unknown
|
||
|
https://116.202.190.18:5432/reebl3.dll
|
unknown
|
||
|
https://116.202.190.18:5432/softokn3.dllZ
|
unknown
|
||
|
https://116.202.190.18:5432/mozglue.dllEdge
|
unknown
|
||
|
https://116.202.190.18:5432/freebl3.dll
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dll9
|
unknown
|
||
|
https://116.202.190.18:5432/mozglue.dlls
|
unknown
|
||
|
https://116.202.190.18:5432/nss3.dll
|
unknown
|
||
|
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dll/
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dllser
|
unknown
|
||
|
https://t.me/i
|
unknown
|
||
|
http://crl.entrust.net/ts1ca.crl0
|
unknown
|
||
|
https://116.202.190.18:5432/sqls.dllx
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dll
|
unknown
|
||
|
https://116.202.190.18:5432
|
unknown
|
||
|
http://www.sqlite.org/copyright.html.
|
unknown
|
||
|
https://116.202.190.18:5432/
|
unknown
|
||
|
https://116.202.190.18:5432fold
|
unknown
|
||
|
https://116.202.190.18:5432/.190.18:5432/
|
unknown
|
||
|
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
|
https://t.me/w
|
unknown
|
||
|
https://116.202.190.18:5432/oft
|
unknown
|
||
|
http://www.entrust.net/rpa03
|
unknown
|
||
|
https://116.202.190.18:5432/nss3.dllO
|
unknown
|
||
|
https://116.202.190.18:5432/My
|
unknown
|
||
|
https://116.202.190.18:5432/softokn3.dllOMh
|
unknown
|
||
|
https://116.202.190.18:5432/mozglue.dll
|
unknown
|
||
|
http://aia.entrust.net/ts1-chain256.cer01
|
unknown
|
||
|
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
|
https://116.202.190.18:5432A
|
unknown
|
||
|
https://116.202.190.18:5432ing
|
unknown
|
||
|
https://www.ecosia.org/newtab/
|
unknown
|
||
|
https://116.202.190.18:5432/msvcp140.dll
|
unknown
|
||
|
https://116.202.190.18:5432/nss3.dllft
|
unknown
|
||
|
https://116.202.190.18:5432/vcruntime140.dllUser
|
unknown
|
||
|
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
|
https://116.202.190.18:5432/ng
|
unknown
|
||
|
https://116.202.190.18:5432/softokn3.dlldge
|
unknown
|
||
|
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
|
https://t.me/r8z0lF
|
unknown
|
||
|
http://crl.entrust.net/2048ca.crl0
|
unknown
|
||
|
https://www.entrust.net/rpa0
|
unknown
|
||
|
https://116.202.190.18:5432AMicrosoft
|
unknown
|
||
|
https://116.202.190.18:5432c84cgle
|
unknown
|
There are 52 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
t.me
|
149.154.167.99
|
|
|
|
198.187.3.20.in-addr.arpa
|
unknown
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
149.154.167.99
|
t.me
|
United Kingdom
|
|
|
|
116.202.190.18
|
unknown
|
Germany
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
1023000
|
unkown
|
page read and write
|
|
|
|
1B8CF000
|
direct allocation
|
page readonly
|
||
|
99CF000
|
stack
|
page read and write
|
||
|
1570000
|
heap
|
page read and write
|
||
|
11B4000
|
heap
|
page read and write
|
||
|
FF0000
|
unkown
|
page readonly
|
||
|
12D70000
|
heap
|
page read and write
|
||
|
4B6000
|
remote allocation
|
page execute and read and write
|
||
|
1290000
|
heap
|
page read and write
|
||
|
1017000
|
unkown
|
page readonly
|
||
|
11C9000
|
heap
|
page read and write
|
||
|
122D000
|
heap
|
page read and write
|
||
|
491000
|
remote allocation
|
page execute and read and write
|
||
|
1056000
|
unkown
|
page read and write
|
||
|
116E000
|
stack
|
page read and write
|
||
|
B3C000
|
stack
|
page read and write
|
||
|
1B8C2000
|
direct allocation
|
page read and write
|
||
|
129E000
|
heap
|
page read and write
|
||
|
E44E000
|
stack
|
page read and write
|
||
|
1393000
|
heap
|
page read and write
|
||
|
4D5000
|
remote allocation
|
page execute and read and write
|
||
|
BE0000
|
heap
|
page read and write
|
||
|
1023000
|
unkown
|
page write copy
|
||
|
1890000
|
heap
|
page read and write
|
||
|
1268000
|
heap
|
page read and write
|
||
|
105A000
|
unkown
|
page readonly
|
||
|
1B688000
|
direct allocation
|
page execute read
|
||
|
10EE000
|
stack
|
page read and write
|
||
|
1B8EC000
|
heap
|
page read and write
|
||
|
15920000
|
heap
|
page read and write
|
||
|
F70000
|
heap
|
page read and write
|
||
|
12A7000
|
heap
|
page read and write
|
||
|
176F000
|
stack
|
page read and write
|
||
|
E30E000
|
stack
|
page read and write
|
||
|
1B8CA000
|
direct allocation
|
page readonly
|
||
|
1050000
|
heap
|
page read and write
|
||
|
1567B000
|
heap
|
page read and write
|
||
|
12F0E000
|
stack
|
page read and write
|
||
|
10AE000
|
heap
|
page read and write
|
||
|
1534D000
|
stack
|
page read and write
|
||
|
1088D000
|
stack
|
page read and write
|
||
|
1B88D000
|
direct allocation
|
page execute read
|
||
|
62F000
|
remote allocation
|
page execute and read and write
|
||
|
497000
|
remote allocation
|
page execute and read and write
|
||
|
157E000
|
heap
|
page read and write
|
||
|
EF3000
|
stack
|
page read and write
|
||
|
FF0000
|
unkown
|
page readonly
|
||
|
56E000
|
remote allocation
|
page execute and read and write
|
||
|
11EC000
|
heap
|
page read and write
|
||
|
DED000
|
stack
|
page read and write
|
||
|
48E000
|
remote allocation
|
page execute and read and write
|
||
|
1280000
|
heap
|
page read and write
|
||
|
1B8CD000
|
direct allocation
|
page readonly
|
||
|
11C6000
|
heap
|
page read and write
|
||
|
FF1000
|
unkown
|
page execute read
|
||
|
640000
|
remote allocation
|
page execute and read and write
|
||
|
1B680000
|
direct allocation
|
page execute and read and write
|
||
|
12D74000
|
heap
|
page read and write
|
||
|
BA0000
|
heap
|
page read and write
|
||
|
11AE000
|
stack
|
page read and write
|
||
|
FBE000
|
stack
|
page read and write
|
||
|
1B681000
|
direct allocation
|
page execute read
|
||
|
15922000
|
heap
|
page read and write
|
||
|
BE4C000
|
stack
|
page read and write
|
||
|
9A0D000
|
stack
|
page read and write
|
||
|
1130000
|
heap
|
page read and write
|
||
|
F50000
|
heap
|
page read and write
|
||
|
10F0000
|
heap
|
page read and write
|
||
|
1571B000
|
heap
|
page read and write
|
||
|
14FF000
|
stack
|
page read and write
|
||
|
453000
|
remote allocation
|
page execute and read and write
|
||
|
1397000
|
heap
|
page read and write
|
||
|
1585B000
|
heap
|
page read and write
|
||
|
15490000
|
heap
|
page read and write
|
||
|
155C0000
|
heap
|
page read and write
|
||
|
155D5000
|
heap
|
page read and write
|
||
|
10F5000
|
heap
|
page read and write
|
||
|
1B7E6000
|
direct allocation
|
page execute read
|
||
|
157A000
|
heap
|
page read and write
|
||
|
186F000
|
stack
|
page read and write
|
||
|
1B898000
|
direct allocation
|
page readonly
|
||
|
FF1000
|
unkown
|
page execute read
|
||
|
EFE000
|
stack
|
page read and write
|
||
|
BB0000
|
heap
|
page read and write
|
||
|
113A000
|
heap
|
page read and write
|
||
|
EED000
|
stack
|
page read and write
|
||
|
15879000
|
heap
|
page read and write
|
||
|
1B88F000
|
direct allocation
|
page readonly
|
||
|
15714000
|
heap
|
page read and write
|
||
|
105A000
|
unkown
|
page readonly
|
||
|
BE8E000
|
stack
|
page read and write
|
||
|
1193000
|
heap
|
page read and write
|
||
|
10A0000
|
heap
|
page read and write
|
||
|
12D5F000
|
stack
|
page read and write
|
||
|
1017000
|
unkown
|
page readonly
|
||
|
FC0000
|
direct allocation
|
page execute and read and write
|
||
|
10A5000
|
heap
|
page read and write
|
||
|
1548C000
|
stack
|
page read and write
|
||
|
E2CE000
|
stack
|
page read and write
|
||
|
1538C000
|
stack
|
page read and write
|
||
|
F60000
|
heap
|
page read and write
|
||
|
E40F000
|
stack
|
page read and write
|
||
|
1091E000
|
stack
|
page read and write
|
There are 94 hidden memdumps, click here to show them.