Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
un78exGoa4.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\BGDAAKJJDAAKFHJKJKFCAEHDAF
|
SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages
2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
|
dropped
|
||
|
C:\ProgramData\BYIMNPJCRL.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\CZQKSDDMWR.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\DUKNXICOZT.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\DUKNXICOZT.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\FCFIJEBF
|
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie
0x3d, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
|
C:\ProgramData\GIGIYTFFYT.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\GLTYDMDUST.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\GNLQNHOLWB.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\HDHCGHDHIDHCBGCBGCAE
|
SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie
0x19, schema 4, UTF-8, version-valid-for 2
|
dropped
|
||
|
C:\ProgramData\HVLFEFMHHB.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\JDDHMPCDUJ.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\KLIZUSIQEN.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\KLIZUSIQEN.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\QCOILOQIKC.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\QCOILOQIKC.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\SNIPGPPREP.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\TQDFJHPUIU.docx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
||
|
C:\ProgramData\ZIPXYXWIOY.xlsx
|
ASCII text, with very long lines (1024), with CRLF line terminators
|
dropped
|
There are 10 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\un78exGoa4.exe
|
C:\Users\user\Desktop\un78exGoa4.exe
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\un78exGoa4.exe" & del "C:\ProgramData\*.dll""
& exit
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\timeout.exe
|
timeout /t 5
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://ronaldlitt.top/25d4fc7fb0cb6b78.php
|
193.106.175.215
|
|
|
|
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll
|
193.106.175.215
|
|
|
|
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
|
https://search.yahoo.com?fr=crmas_sfp
|
unknown
|
||
|
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dllY
|
unknown
|
||
|
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
|
http://ronaldlitt.top/25d4fc7fb0cb6b78.phption:
|
unknown
|
||
|
https://duckduckgo.com/ac/?q=
|
unknown
|
||
|
http://ronaldlitt.top/25d4fc7fb0cb6b78.php89c6ee431893fde88e49579e17ef5
|
unknown
|
||
|
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
|
https://search.yahoo.com?fr=crmas_sfpf
|
unknown
|
||
|
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
|
http://ronaldlitt.top
|
unknown
|
||
|
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
|
unknown
|
||
|
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
|
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
|
unknown
|
||
|
http://ronaldlitt.top/3abdf8b5527012d0/sqlite3.dll5
|
unknown
|
||
|
http://www.sqlite.org/copyright.html.
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
ronaldlitt.top
|
193.106.175.215
|
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
193.106.175.215
|
ronaldlitt.top
|
Russian Federation
|
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\oregres.dll,-301
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@C:\Program Files (x86)\Common Files\Microsoft Shared\Office16\oregres.dll,-305
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
6B5000
|
heap
|
page read and write
|
|
|
|
2567000
|
heap
|
page read and write
|
||
|
3FF77000
|
heap
|
page read and write
|
||
|
26BE000
|
stack
|
page read and write
|
||
|
1F0000
|
heap
|
page read and write
|
||
|
66F000
|
unkown
|
page readonly
|
||
|
38B7E000
|
heap
|
page read and write
|
||
|
61E01000
|
direct allocation
|
page execute read
|
||
|
2567000
|
heap
|
page read and write
|
||
|
2583000
|
heap
|
page read and write
|
||
|
7BB000
|
heap
|
page read and write
|
||
|
307C000
|
stack
|
page read and write
|
||
|
2555000
|
heap
|
page read and write
|
||
|
4E5000
|
unkown
|
page execute and read and write
|
||
|
32B30000
|
trusted library allocation
|
page read and write
|
||
|
6CA000
|
heap
|
page read and write
|
||
|
4D80000
|
heap
|
page read and write
|
||
|
38B2C000
|
heap
|
page read and write
|
||
|
3EB20000
|
heap
|
page read and write
|
||
|
6A0000
|
heap
|
page read and write
|
||
|
30000
|
heap
|
page read and write
|
||
|
257B000
|
heap
|
page read and write
|
||
|
B6E000
|
stack
|
page read and write
|
||
|
3EE8F000
|
heap
|
page read and write
|
||
|
424000
|
unkown
|
page execute and read and write
|
||
|
2DD0000
|
heap
|
page read and write
|
||
|
61ED4000
|
direct allocation
|
page readonly
|
||
|
26FD000
|
stack
|
page read and write
|
||
|
3ECCC000
|
heap
|
page read and write
|
||
|
329BE000
|
stack
|
page read and write
|
||
|
2573000
|
heap
|
page read and write
|
||
|
429000
|
unkown
|
page execute and read and write
|
||
|
3ECD8000
|
heap
|
page read and write
|
||
|
3EC80000
|
heap
|
page read and write
|
||
|
2567000
|
heap
|
page read and write
|
||
|
2700000
|
heap
|
page read and write
|
||
|
3220000
|
heap
|
page read and write
|
||
|
7B7000
|
heap
|
page read and write
|
||
|
6C0000
|
heap
|
page read and write
|
||
|
254D000
|
heap
|
page read and write
|
||
|
3F960000
|
heap
|
page read and write
|
||
|
255F000
|
heap
|
page read and write
|
||
|
337F000
|
stack
|
page read and write
|
||
|
61ED0000
|
direct allocation
|
page read and write
|
||
|
38B0C000
|
heap
|
page read and write
|
||
|
41D000
|
unkown
|
page execute and read and write
|
||
|
30E0000
|
heap
|
page read and write
|
||
|
3266F000
|
stack
|
page read and write
|
||
|
38B39000
|
heap
|
page read and write
|
||
|
627000
|
unkown
|
page execute and read and write
|
||
|
61EB7000
|
direct allocation
|
page readonly
|
||
|
83E000
|
stack
|
page read and write
|
||
|
303C000
|
stack
|
page read and write
|
||
|
6B0000
|
heap
|
page read and write
|
||
|
7BD000
|
heap
|
page read and write
|
||
|
70A000
|
heap
|
page read and write
|
||
|
3F9EA000
|
stack
|
page read and write
|
||
|
3FA2E000
|
stack
|
page read and write
|
||
|
3EC84000
|
heap
|
page read and write
|
||
|
2410000
|
direct allocation
|
page execute and read and write
|
||
|
429000
|
unkown
|
page write copy
|
||
|
2565000
|
heap
|
page read and write
|
||
|
2583000
|
heap
|
page read and write
|
||
|
61E00000
|
direct allocation
|
page execute and read and write
|
||
|
A2F000
|
stack
|
page read and write
|
||
|
30F0000
|
heap
|
page read and write
|
||
|
7AD000
|
heap
|
page read and write
|
||
|
3F86C000
|
stack
|
page read and write
|
||
|
857000
|
heap
|
page read and write
|
||
|
3256F000
|
stack
|
page read and write
|
||
|
7B3000
|
heap
|
page read and write
|
||
|
267E000
|
stack
|
page read and write
|
||
|
2510000
|
heap
|
page read and write
|
||
|
3246F000
|
stack
|
page read and write
|
||
|
5B6000
|
unkown
|
page execute and read and write
|
||
|
38B82000
|
heap
|
page read and write
|
||
|
38AA0000
|
heap
|
page read and write
|
||
|
255B000
|
heap
|
page read and write
|
||
|
2564000
|
heap
|
page read and write
|
||
|
61ECC000
|
direct allocation
|
page read and write
|
||
|
38B1A000
|
heap
|
page read and write
|
||
|
4B9F000
|
stack
|
page read and write
|
||
|
32B34000
|
heap
|
page read and write
|
||
|
7FE000
|
stack
|
page read and write
|
||
|
61ECD000
|
direct allocation
|
page readonly
|
||
|
328BE000
|
stack
|
page read and write
|
||
|
850000
|
heap
|
page read and write
|
||
|
24BE000
|
stack
|
page read and write
|
||
|
2540000
|
heap
|
page read and write
|
||
|
32A31000
|
heap
|
page read and write
|
||
|
32A30000
|
heap
|
page read and write
|
||
|
61EB4000
|
direct allocation
|
page read and write
|
||
|
734000
|
heap
|
page read and write
|
||
|
6D9000
|
heap
|
page execute and read and write
|
||
|
3276F000
|
stack
|
page read and write
|
||
|
38B41000
|
heap
|
page read and write
|
||
|
2530000
|
heap
|
page read and write
|
||
|
615000
|
unkown
|
page execute and read and write
|
||
|
198000
|
stack
|
page read and write
|
||
|
3ECA0000
|
heap
|
page read and write
|
||
|
2567000
|
heap
|
page read and write
|
||
|
855000
|
heap
|
page read and write
|
||
|
3FB2C000
|
stack
|
page read and write
|
||
|
400000
|
unkown
|
page readonly
|
||
|
2559000
|
heap
|
page read and write
|
||
|
401000
|
unkown
|
page execute read
|
||
|
38B34000
|
heap
|
page read and write
|
||
|
66F000
|
unkown
|
page readonly
|
||
|
C6F000
|
stack
|
page read and write
|
||
|
2584000
|
heap
|
page read and write
|
||
|
30F7000
|
heap
|
page read and write
|
||
|
333E000
|
stack
|
page read and write
|
||
|
2430000
|
direct allocation
|
page read and write
|
||
|
3ECD2000
|
heap
|
page read and write
|
||
|
4B5E000
|
stack
|
page read and write
|
||
|
254A000
|
heap
|
page read and write
|
||
|
9C000
|
stack
|
page read and write
|
||
|
38B14000
|
heap
|
page read and write
|
||
|
3286A000
|
stack
|
page read and write
|
||
|
192000
|
stack
|
page read and write
|
||
|
B2F000
|
stack
|
page read and write
|
||
|
38B22000
|
heap
|
page read and write
|
||
|
257B000
|
heap
|
page read and write
|
||
|
6EF000
|
heap
|
page read and write
|
||
|
2566000
|
heap
|
page read and write
|
||
|
400000
|
unkown
|
page execute and read and write
|
||
|
3ED83000
|
heap
|
page read and write
|
||
|
61ED3000
|
direct allocation
|
page read and write
|
||
|
24FE000
|
stack
|
page read and write
|
||
|
2566000
|
heap
|
page read and write
|
||
|
3F96A000
|
heap
|
page read and write
|
||
|
2573000
|
heap
|
page read and write
|
There are 122 hidden memdumps, click here to show them.