IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (console) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\GHIJJEGDBFII\AEHDAK
SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\GHIJJEGDBFII\CBFIJE
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\GHIJJEGDBFII\CBFIJE-shm
data
dropped
C:\ProgramData\GHIJJEGDBFII\CFHCGH
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\GHIJJEGDBFII\GCBFBG
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\GHIJJEGDBFII\GCBFBG-shm
data
dropped
C:\ProgramData\GHIJJEGDBFII\GDAAKF
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
dropped
C:\ProgramData\GHIJJEGDBFII\GHIJJE
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\GHIJJEGDBFII\HDAFII
SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
dropped
C:\ProgramData\GHIJJEGDBFII\IIDHJD
ASCII text, with very long lines (1809), with CRLF line terminators
dropped
C:\ProgramData\GHIJJEGDBFII\JEGHDA
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\GHIJJEGDBFII\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\GHIJJEGDBFII\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\GHIJJEGDBFII\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\GHIJJEGDBFII\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\GHIJJEGDBFII\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\GHIJJEGDBFII\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
There are 16 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10

URLs

Name
IP
Malicious
https://95.217.240.101/nss3.dll
95.217.240.101
 malicious
https://95.217.240.101/nss3.dll2
unknown
 malicious
https://95.217.240.101/freebl3.dll
95.217.240.101
 malicious
https://steamcommunity.co
unknown
 malicious
https://steamcommunity.com/profiles/76561199686524322
23.194.234.100
 malicious
https://duckduckgo.com/chrome_newtab
unknown
https://duckduckgo.com/ac/?q=
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j
unknown
https://steamcommunity.com/?subsection=broadcasts
unknown
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&amp
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
unknown
https://store.steampowered.com/subscriber_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
unknown
https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
unknown
http://www.valvesoftware.com/legal.htm
unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
unknown
http://www.mozilla.com/en-US/blocklist/
unknown
https://mozilla.org0/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
unknown
https://95.217.240.101KJE
unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
unknown
http://store.steampowered.com/privacy_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
unknown
https://store.steampowered.com/points/shop/
unknown
https://steamcommunity.com/login
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
https://95.217.240.101/softokn3.dll
95.217.240.101
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
unknown
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
unknown
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
unknown
https://www.ecosia.org/newtab/
unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
unknown
https://store.steampowered.com/privacy_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
unknown
https://95.217.240.101FIE
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/he
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_q
unknown
https://store.steampowered.com/about/
unknown
https://steamcommunity.com/my/wishlist/
unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
unknown
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
unknown
https://95.217.240.101/msvcp140.dllU
unknown
https://95.217.240.101/freebl3.dlls
unknown
https://help.steampowered.com/en/
unknown
https://steamcommunity.com/market/
unknown
https://store.steampowered.com/news/
unknown
https://95.217.240.101
unknown
https://95.217.240.101/msvcp140.dll
95.217.240.101
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
http://store.steampowered.com/subscriber_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
unknown
https://steamcommunity.com/discussions/
unknown
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGA
unknown
https://store.steampowered.com/stats/
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
unknown
https://store.steampowered.com/steam_refunds/
unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
unknown
https://t.me/k0mono
unknown
https://steamcommunity.com/profiles/76561199686524322/inventory/
unknown
https://steamcommunity.com/profiles/76561199686524322/badges
unknown
https://steamcommunity.com/workshop/
unknown
https://store.steampowered.com/legal/
unknown
http://www.sqlite.org/copyright.html.
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
https://95.217.240.101/mozglue.dll
95.217.240.101
https://95.217.240.101/softokn3.dllK
unknown
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
unknown
https://95.217.240.101/sqlx.dll
95.217.240.101
https://store.steampowered.com/
unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
https://95.217.240.101/v
unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
unknown
https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
unknown
There are 90 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
steamcommunity.com
23.194.234.100
 malicious

IPs

IP
Domain
Country
Malicious
23.194.234.100
steamcommunity.com
United States
malicious
95.217.240.101
unknown
Germany

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF

Memdumps

Base Address
Regiontype
Protect
Malicious
70A000
unkown
page read and write
 malicious
400000
remote allocation
page execute and read and write
 malicious
EF1000
heap
page read and write
 malicious
1924F000
direct allocation
page readonly
6C6C0000
unkown
page readonly
12E90000
heap
page read and write
F50000
heap
page read and write
52B000
remote allocation
page execute and read and write
73C000
unkown
page read and write
10DE000
stack
page read and write
438000
remote allocation
page execute and read and write
E0FD000
stack
page read and write
E2CB000
stack
page read and write
1F88C000
stack
page read and write
CF2000
stack
page read and write
1079E000
stack
page read and write
E26F000
stack
page read and write
E40000
heap
page read and write
130DB000
heap
page read and write
13240000
heap
page read and write
572000
remote allocation
page execute and read and write
534000
remote allocation
page execute and read and write
3465000
heap
page read and write
B70000
heap
page read and write
E6A000
heap
page read and write
19282000
direct allocation
page read and write
2CE0000
heap
page read and write
BC7C000
stack
page read and write
FDF000
heap
page read and write
6EFF000
stack
page read and write
12EA0000
heap
page read and write
6C74E000
unkown
page read and write
6E1000
unkown
page execute read
9BC000
stack
page read and write
1F5CC000
stack
page read and write
10E0000
heap
page read and write
19258000
direct allocation
page readonly
A60000
heap
page read and write
FD1000
heap
page read and write
89C000
stack
page read and write
700000
unkown
page readonly
19048000
direct allocation
page execute read
63F000
remote allocation
page execute and read and write
6C761000
unkown
page execute read
CFD000
stack
page read and write
A70000
heap
page read and write
60B000
remote allocation
page execute and read and write
E16E000
stack
page read and write
F4D000
heap
page read and write
1F9CB000
stack
page read and write
6C945000
unkown
page readonly
10EE000
heap
page read and write
2CD0000
direct allocation
page execute and read and write
6C940000
unkown
page read and write
109E000
stack
page read and write
6C73D000
unkown
page readonly
191A6000
direct allocation
page execute read
6C8FF000
unkown
page readonly
12C68000
heap
page read and write
70A000
unkown
page write copy
3430000
heap
page read and write
900000
heap
page read and write
43C000
remote allocation
page execute and read and write
6C752000
unkown
page readonly
12E70000
heap
page read and write
A5E000
stack
page read and write
52E000
remote allocation
page execute and read and write
1928A000
direct allocation
page readonly
D30000
heap
page read and write
12D3C000
stack
page read and write
1924D000
direct allocation
page execute read
85C000
stack
page read and write
12BFB000
heap
page read and write
6C6C1000
unkown
page execute read
6E1000
unkown
page execute read
10EA000
heap
page read and write
553000
remote allocation
page execute and read and write
D50000
heap
page read and write
130E2000
heap
page read and write
1928D000
direct allocation
page readonly
12E3A000
stack
page read and write
12FB0000
heap
page read and write
6C93E000
unkown
page read and write
73F000
unkown
page readonly
12DF000
stack
page read and write
132E9000
heap
page read and write
6E0000
unkown
page readonly
19040000
direct allocation
page execute and read and write
12BF4000
heap
page read and write
E60000
heap
page read and write
1048000
heap
page read and write
FE5000
heap
page read and write
1068000
heap
page read and write
13DF000
stack
page read and write
6F3D000
stack
page read and write
12C7B000
heap
page read and write
3460000
heap
page read and write
BB8000
heap
page read and write
73F000
unkown
page readonly
96FE000
stack
page read and write
F3D000
stack
page read and write
1100000
heap
page read and write
1F8CC000
stack
page read and write
4ABE000
stack
page read and write
12BDF000
stack
page read and write
6E0000
unkown
page readonly
E3C000
stack
page read and write
10C6000
heap
page read and write
D55000
heap
page read and write
434000
remote allocation
page execute and read and write
CEA000
stack
page read and write
D20000
heap
page read and write
1928F000
direct allocation
page readonly
937F000
stack
page read and write
CEE000
stack
page read and write
EE4000
heap
page read and write
AFF000
stack
page read and write
13222000
heap
page read and write
A1E000
stack
page read and write
EC1000
heap
page read and write
6C93F000
unkown
page write copy
F70000
heap
page read and write
132E7000
heap
page read and write
ABE000
stack
page read and write
1050000
heap
page read and write
6C760000
unkown
page readonly
97FF000
stack
page read and write
12BF0000
heap
page read and write
983E000
stack
page read and write
1070C000
stack
page read and write
700000
unkown
page readonly
BB0000
heap
page read and write
19041000
direct allocation
page execute read
BCBD000
stack
page read and write
FBC000
heap
page read and write
There are 125 hidden memdumps, click here to show them.