Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
file.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
 |
|
|
C:\ProgramData\CFCFCAAAAFBA\freebl3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\CFCFCAAAAFBA\mozglue.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\CFCFCAAAAFBA\msvcp140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\CFCFCAAAAFBA\nss3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\CFCFCAAAAFBA\softokn3.dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\CFCFCAAAAFBA\vcruntime140.dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\ProgramData\EGDGCGCFHIEHIDGDBAAEHJDAFB
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8,
version-valid-for 7
|
dropped
|
||
|
C:\ProgramData\EGHJKFHJ
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie
0x21, schema 4, UTF-8, version-valid-for 3
|
dropped
|
||
|
C:\ProgramData\FCGIJDBAFCBAAKECGDGC
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie
0xe, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\FHJDAAEG
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\FIJKEHJJDAAKFHIDAKFH
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie
0xb, schema 4, UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\GIJDAFBKFIECBGCAKECGHIIIEB
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8,
version-valid-for 5
|
dropped
|
||
|
C:\ProgramData\KFBFCAFC
|
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4,
UTF-8, version-valid-for 1
|
dropped
|
||
|
C:\ProgramData\KFIJJJEB
|
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie
0x36, schema 4, UTF-8, version-valid-for 7
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\msvcp140[1].dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\softokn3[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll
|
PE32 executable (DLL) (console) Intel 80386, for MS Windows
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199680449169[1].htm
|
HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sqlx[1].dll
|
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
|
dropped
|
There are 13 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Users\user\Desktop\file.exe
|
"C:\Users\user\Desktop\file.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
|
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
|
|
|
|
C:\Windows\SysWOW64\cmd.exe
|
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFCFCAAAAFBA" & exit
|
||
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
||
|
C:\Windows\SysWOW64\timeout.exe
|
timeout /t 10
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
https://95.217.242.142/msvcp140.dll
|
95.217.242.142
|
||
|
https://steamcommunity.com/my/wishlist/
|
unknown
|
||
|
https://duckduckgo.com/chrome_newtab
|
unknown
|
||
|
https://duckduckgo.com/ac/?q=
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
|
unknown
|
||
|
https://95.217.242.142/vcruntime140.dll
|
95.217.242.142
|
||
|
https://steamcommunity.com/?subsection=broadcasts
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6
|
unknown
|
||
|
https://help.steampowered.com/en/
|
unknown
|
||
|
https://steamcommunity.com/market/
|
unknown
|
||
|
https://steamcommunity.com/profiles/76561199680449169y
|
unknown
|
||
|
https://store.steampowered.com/news/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
|
unknown
|
||
|
https://store.steampowered.com/subscriber_agreement/
|
unknown
|
||
|
https://95.217.242.142/mozglue.dll
|
95.217.242.142
|
||
|
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
|
unknown
|
||
|
http://store.steampowered.com/subscriber_agreement/
|
unknown
|
||
|
https://steamcommunity.com/login/home/?goto=profiles%2F76561199680449169
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
|
unknown
|
||
|
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
|
unknown
|
||
|
https://steamcommunity.com/profiles/76561199680449169
|
23.210.138.105
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
|
unknown
|
||
|
https://95.217.242.142/i
|
unknown
|
||
|
http://www.valvesoftware.com/legal.htm
|
unknown
|
||
|
https://steamcommunity.com/discussions/
|
unknown
|
||
|
https://95.217.242.142/
|
95.217.242.142
|
||
|
https://t.me/r1g1o
|
unknown
|
||
|
https://store.steampowered.com/stats/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&
|
unknown
|
||
|
https://store.steampowered.com/steam_refunds/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
|
unknown
|
||
|
https://95.217.242.142/sqlx.dll
|
95.217.242.142
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
|
unknown
|
||
|
https://95.217.242.142
|
unknown
|
||
|
https://95.217.242.1421d37fba79nt-Disposition:
|
unknown
|
||
|
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
|
unknown
|
||
|
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
|
unknown
|
||
|
https://steamcommunity.com/workshop/
|
unknown
|
||
|
https://store.steampowered.com/legal/
|
unknown
|
||
|
http://www.sqlite.org/copyright.html.
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
|
unknown
|
||
|
https://95.217.242.142/vcruntime140.dlll
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
|
unknown
|
||
|
http://www.mozilla.com/en-US/blocklist/
|
unknown
|
||
|
https://mozilla.org0/
|
unknown
|
||
|
https://95.217.242.142/freebl3.dll
|
95.217.242.142
|
||
|
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
|
unknown
|
||
|
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
|
unknown
|
||
|
https://95.217.242.142/softokn3.dll
|
95.217.242.142
|
||
|
http://store.steampowered.com/privacy_agreement/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
|
unknown
|
||
|
https://store.steampowered.com/points/shop/
|
unknown
|
||
|
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
|
unknown
|
||
|
https://store.steampowered.com/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&
|
unknown
|
||
|
https://95.217.242.142/nss3.dll
|
95.217.242.142
|
||
|
https://steamcommunity.com/profiles/76561199680449169/badges
|
unknown
|
||
|
https://www.ecosia.org/newtab/
|
unknown
|
||
|
https://95.217.242.142/nss3.dll(
|
unknown
|
||
|
https://store.steampowered.com/privacy_agreement/
|
unknown
|
||
|
https://steamcommunity.com/profiles/76561199680449169/inventory/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
|
unknown
|
||
|
https://ac.ecosia.org/autocomplete?q=
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
|
unknown
|
||
|
https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=c4Un
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
|
unknown
|
||
|
http://store.steampowered.com/account/cookiepreferences/
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
|
unknown
|
||
|
https://store.steampowered.com/mobile
|
unknown
|
||
|
https://steamcommunity.com/
|
unknown
|
||
|
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
|
unknown
|
||
|
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=3gW5J8_jG_Yc&
|
unknown
|
||
|
https://store.steampowered.com/about/
|
unknown
|
There are 77 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
steamcommunity.com
|
23.210.138.105
|
IPs
|
IP
|
Domain
|
Country
|
Malicious
|
|
|---|---|---|---|---|
|
95.217.242.142
|
unknown
|
Germany
|
||
|
23.210.138.105
|
steamcommunity.com
|
United States
|
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
1544000
|
heap
|
page read and write
|
|
|
|
400000
|
remote allocation
|
page execute and read and write
|
|
|
|
209000
|
unkown
|
page read and write
|
|
|
|
6EDB6000
|
unkown
|
page readonly
|
||
|
15F7C000
|
stack
|
page read and write
|
||
|
1705000
|
heap
|
page read and write
|
||
|
9F60000
|
heap
|
page read and write
|
||
|
1715000
|
heap
|
page read and write
|
||
|
1E0000
|
unkown
|
page readonly
|
||
|
14C0000
|
heap
|
page read and write
|
||
|
1FF000
|
unkown
|
page readonly
|
||
|
1E1000
|
unkown
|
page execute read
|
||
|
32F0000
|
heap
|
page read and write
|
||
|
183F000
|
stack
|
page read and write
|
||
|
1132E000
|
stack
|
page read and write
|
||
|
1C50D000
|
direct allocation
|
page execute read
|
||
|
15E1F000
|
stack
|
page read and write
|
||
|
16300000
|
heap
|
page read and write
|
||
|
1420000
|
heap
|
page read and write
|
||
|
16312000
|
heap
|
page read and write
|
||
|
18D0000
|
heap
|
page read and write
|
||
|
FE0000
|
heap
|
page read and write
|
||
|
308E000
|
stack
|
page read and write
|
||
|
20B000
|
unkown
|
page write copy
|
||
|
322E000
|
stack
|
page read and write
|
||
|
13A0000
|
heap
|
page read and write
|
||
|
16294000
|
heap
|
page read and write
|
||
|
209000
|
unkown
|
page write copy
|
||
|
1FF000
|
unkown
|
page readonly
|
||
|
6EDBD000
|
unkown
|
page read and write
|
||
|
C68E000
|
stack
|
page read and write
|
||
|
165A7000
|
heap
|
page read and write
|
||
|
16090000
|
heap
|
page read and write
|
||
|
12FC000
|
stack
|
page read and write
|
||
|
1E0000
|
unkown
|
page readonly
|
||
|
12EB000
|
stack
|
page read and write
|
||
|
164E2000
|
heap
|
page read and write
|
||
|
6EDA0000
|
unkown
|
page readonly
|
||
|
23A000
|
unkown
|
page execute and read and write
|
||
|
1CB5C000
|
stack
|
page read and write
|
||
|
1C542000
|
direct allocation
|
page read and write
|
||
|
12EF000
|
stack
|
page read and write
|
||
|
16500000
|
heap
|
page read and write
|
||
|
160E000
|
heap
|
page read and write
|
||
|
6EDBF000
|
unkown
|
page readonly
|
||
|
15FF000
|
stack
|
page read and write
|
||
|
15BF000
|
heap
|
page read and write
|
||
|
4D10000
|
heap
|
page read and write
|
||
|
1639B000
|
heap
|
page read and write
|
||
|
16080000
|
heap
|
page read and write
|
||
|
1370000
|
heap
|
page read and write
|
||
|
15A5000
|
heap
|
page read and write
|
||
|
136E000
|
stack
|
page read and write
|
||
|
1C84B000
|
stack
|
page read and write
|
||
|
135D000
|
stack
|
page read and write
|
||
|
32F8000
|
heap
|
page read and write
|
||
|
76DF000
|
stack
|
page read and write
|
||
|
14CA000
|
heap
|
page read and write
|
||
|
1E1000
|
unkown
|
page execute read
|
||
|
16290000
|
heap
|
page read and write
|
||
|
23C000
|
unkown
|
page readonly
|
||
|
1325000
|
heap
|
page read and write
|
||
|
15E7B000
|
stack
|
page read and write
|
||
|
310E000
|
stack
|
page read and write
|
||
|
1629C000
|
heap
|
page read and write
|
||
|
165A9000
|
heap
|
page read and write
|
||
|
C64D000
|
stack
|
page read and write
|
||
|
3110000
|
heap
|
page read and write
|
||
|
528000
|
remote allocation
|
page execute and read and write
|
||
|
435000
|
remote allocation
|
page execute and read and write
|
||
|
140E000
|
stack
|
page read and write
|
||
|
163A2000
|
heap
|
page read and write
|
||
|
A10D000
|
stack
|
page read and write
|
||
|
FF0000
|
heap
|
page read and write
|
||
|
1C466000
|
direct allocation
|
page execute read
|
||
|
1690000
|
heap
|
page read and write
|
||
|
13A5000
|
heap
|
page read and write
|
||
|
138DE000
|
stack
|
page read and write
|
||
|
431000
|
remote allocation
|
page execute and read and write
|
||
|
56C000
|
remote allocation
|
page execute and read and write
|
||
|
1C300000
|
direct allocation
|
page execute and read and write
|
||
|
1528000
|
heap
|
page read and write
|
||
|
3230000
|
heap
|
page read and write
|
||
|
12F3000
|
stack
|
page read and write
|
||
|
63C000
|
remote allocation
|
page execute and read and write
|
||
|
1CAFA000
|
stack
|
page read and write
|
||
|
179A000
|
heap
|
page read and write
|
||
|
14BE000
|
stack
|
page read and write
|
||
|
1C50F000
|
direct allocation
|
page readonly
|
||
|
1320000
|
heap
|
page read and write
|
||
|
160A000
|
heap
|
page read and write
|
||
|
1C301000
|
direct allocation
|
page execute read
|
||
|
ED9E000
|
stack
|
page read and write
|
||
|
13C0000
|
heap
|
page read and write
|
||
|
1C54F000
|
direct allocation
|
page readonly
|
||
|
1764000
|
heap
|
page read and write
|
||
|
ED3F000
|
stack
|
page read and write
|
||
|
606000
|
remote allocation
|
page execute and read and write
|
||
|
EC3E000
|
stack
|
page read and write
|
||
|
30CF000
|
stack
|
page read and write
|
||
|
1600000
|
heap
|
page read and write
|
||
|
23C000
|
unkown
|
page readonly
|
||
|
1C518000
|
direct allocation
|
page readonly
|
||
|
112DF000
|
stack
|
page read and write
|
||
|
2DDD000
|
stack
|
page read and write
|
||
|
2D9C000
|
stack
|
page read and write
|
||
|
525000
|
remote allocation
|
page execute and read and write
|
||
|
6EDA1000
|
unkown
|
page execute read
|
||
|
1C54A000
|
direct allocation
|
page readonly
|
||
|
125D000
|
stack
|
page read and write
|
||
|
A0CF000
|
stack
|
page read and write
|
||
|
9FCE000
|
stack
|
page read and write
|
||
|
3040000
|
heap
|
page read and write
|
||
|
1386D000
|
stack
|
page read and write
|
||
|
52E000
|
remote allocation
|
page execute and read and write
|
||
|
F7C000
|
stack
|
page read and write
|
||
|
16194000
|
heap
|
page read and write
|
||
|
1C308000
|
direct allocation
|
page execute read
|
||
|
173E000
|
stack
|
page read and write
|
||
|
12FE000
|
stack
|
page read and write
|
||
|
1CC5C000
|
stack
|
page read and write
|
||
|
9C1E000
|
stack
|
page read and write
|
||
|
EBCC000
|
stack
|
page read and write
|
||
|
13B0000
|
heap
|
page read and write
|
||
|
1C54D000
|
direct allocation
|
page readonly
|
There are 115 hidden memdumps, click here to show them.