IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (console) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\FCGCGDHJEGHJ\DAKJDA
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\FCGCGDHJEGHJ\DHDHJJ
SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
dropped
C:\ProgramData\FCGCGDHJEGHJ\EBGCBA
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
dropped
C:\ProgramData\FCGCGDHJEGHJ\EBKJDB
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\FCGCGDHJEGHJ\FCGCGD
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\FCGCGDHJEGHJ\GCGDGH
ASCII text, with very long lines (1743), with CRLF line terminators
dropped
C:\ProgramData\FCGCGDHJEGHJ\HDGIJJ
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\FCGCGDHJEGHJ\HIEBAK
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\FCGCGDHJEGHJ\JDGCGD
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
dropped
C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ-shm
data
dropped
C:\ProgramData\FCGCGDHJEGHJ\KKJEBA
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\FCGCGDHJEGHJ\KKJEBA-shm
data
dropped
C:\ProgramData\FCGCGDHJEGHJ\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\FCGCGDHJEGHJ\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\FCGCGDHJEGHJ\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\FCGCGDHJEGHJ\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199686524322[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
dropped
There are 18 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10

URLs

Name
IP
Malicious
https://95.217.240.101/nss3.dll
95.217.240.101
 malicious
https://95.217.240.101/freebl3.dll
95.217.240.101
 malicious
https://95.217.240.101/softokn3.dlleS
unknown
 malicious
https://95.217.240.101/softokn3.dll
95.217.240.101
 malicious
https://95.217.240.101/msvcp140.dllsS9
unknown
 malicious
https://95.217.240.101/sqlx.dll
95.217.240.101
 malicious
https://steamcommunity.com/profiles/76561199686524322
104.102.42.29
 malicious
https://duckduckgo.com/chrome_newtab
unknown
https://duckduckgo.com/ac/?q=
unknown
https://steamcommunity.com/?subsection=broadcasts
unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
unknown
https://store.steampowered.com/subscriber_agreement/
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
unknown
http://www.valvesoftware.com/legal.htm
unknown
https://95.217.240.101IDH
unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
unknown
http://www.mozilla.com/en-US/blocklist/
unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
unknown
https://mozilla.org0/
unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%2
unknown
http://store.steampowered.com/privacy_agreement/
unknown
http://store.st
unknown
https://store.steampowered.com/points/shop/
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
https://www.ecosia.org/newtab/
unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
unknown
https://store.steampowered.com/privacy_agreement/
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
unknown
https://95.217.240.101/freebl3.dllwT=
unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
unknown
https://store.steampowered.com/about/
unknown
https://steamcommunity.com/my/wishlist/
unknown
https://help.steampowered.com/en/
unknown
https://steamcommunity.com/market/
unknown
https://store.steampowered.com/news/
unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
unknown
https://95.217.240.101
unknown
https://95.217.240.101/msvcp140.dll
95.217.240.101
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a
unknown
https://steamcommunity.com/tIP
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
http://store.steampowered.com/subscriber_agreement/
unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
unknown
https://steamcommunity.com/discussions/
unknown
https://store.steampowered.com/stats/
unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
unknown
https://store.steampowered.com/steam_refunds/
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://t.me/k0mono
unknown
https://95.217.240.101/D
unknown
https://steamcommunity.com/profiles/76561199686524322/inventory/
unknown
https://steamcommunity.com/profiles/76561199686524322/badges
unknown
https://steamcommunity.com/workshop/
unknown
https://95.217.240.101/O
unknown
https://store.steampowered.com/legal/
unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e
unknown
http://www.sqlite.org/copyright.html.
unknown
https://95.217.240.101KEG
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
https://95.217.240.101/mozglue.dll
95.217.240.101
https://store.steampowered.com/
unknown
https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
unknown
https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
https://95.217.240.101/sqlx.dllI
unknown
https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
unknown
https://95.217.240.101/vcruntime140.dll
95.217.240.101
https://95.217.240.101/msvcp140.dllyS#
unknown
http://store.steampowered.com/account/cookiepreferences/
unknown
https://store.steampowered.com/mobile
unknown
There are 90 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
steamcommunity.com
104.102.42.29
 malicious

IPs

IP
Domain
Country
Malicious
104.102.42.29
steamcommunity.com
United States
malicious
95.217.240.101
unknown
Germany

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
remote allocation
page execute and read and write
 malicious
EF0000
heap
page read and write
 malicious
AD8000
unkown
page read and write
 malicious
D45000
heap
page read and write
D10000
heap
page read and write
E38E000
stack
page read and write
12C5D000
stack
page read and write
1B5E6000
direct allocation
page execute read
E60000
heap
page read and write
3FB0000
heap
page read and write
160000
heap
page read and write
151A2000
heap
page read and write
15516000
heap
page read and write
AB1000
unkown
page execute read
1B79D000
heap
page read and write
1B480000
direct allocation
page execute and read and write
2580000
heap
page read and write
243DC000
stack
page read and write
63F000
remote allocation
page execute and read and write
1660000
heap
page read and write
60B000
remote allocation
page execute and read and write
254F000
stack
page read and write
52E000
remote allocation
page execute and read and write
F67000
heap
page read and write
10F4000
heap
page read and write
D65000
heap
page read and write
AB1000
unkown
page execute read
2451B000
stack
page read and write
1B6CA000
direct allocation
page readonly
1081E000
stack
page read and write
1E1EF000
stack
page read and write
2588000
heap
page read and write
6C83E000
unkown
page read and write
6C842000
unkown
page readonly
FB5000
heap
page read and write
52B000
remote allocation
page execute and read and write
1B488000
direct allocation
page execute read
1567B000
heap
page read and write
150000
heap
page read and write
6C9EF000
unkown
page readonly
E21F000
stack
page read and write
E0BC000
stack
page read and write
1105000
heap
page read and write
1B6CF000
direct allocation
page readonly
534000
remote allocation
page execute and read and write
6CA30000
unkown
page read and write
933E000
stack
page read and write
1490000
direct allocation
page execute and read and write
19D0000
heap
page read and write
153CF000
heap
page read and write
EC2000
heap
page read and write
9D0000
heap
page read and write
6C850000
unkown
page readonly
1526C000
stack
page read and write
ACE000
unkown
page readonly
1400000
heap
page read and write
15EE000
stack
page read and write
1B698000
direct allocation
page readonly
15120000
heap
page read and write
107CF000
stack
page read and write
E11E000
stack
page read and write
D60000
heap
page read and write
EE3000
heap
page read and write
1062000
heap
page read and write
E258000
heap
page read and write
6C7B0000
unkown
page readonly
166E000
heap
page read and write
D40000
heap
page read and write
AD8000
unkown
page write copy
15500000
heap
page read and write
6C7B1000
unkown
page execute read
ACE000
unkown
page readonly
CEE000
stack
page read and write
1510F000
stack
page read and write
250E000
stack
page read and write
185F000
stack
page read and write
6CA2F000
unkown
page write copy
2441B000
stack
page read and write
9C000
stack
page read and write
242DC000
stack
page read and write
E40000
heap
page read and write
1B6CD000
direct allocation
page readonly
1AE000
stack
page read and write
4A7E000
stack
page read and write
553000
remote allocation
page execute and read and write
AB0000
unkown
page readonly
FCD000
stack
page read and write
E6A000
heap
page read and write
FC4000
heap
page read and write
166A000
heap
page read and write
6C82D000
unkown
page readonly
DC000
stack
page read and write
106E000
heap
page read and write
B0A000
unkown
page read and write
434000
remote allocation
page execute and read and write
1536A000
stack
page read and write
6EBE000
stack
page read and write
140000
heap
page read and write
6C851000
unkown
page execute read
FBF000
heap
page read and write
195F000
stack
page read and write
9E0000
heap
page read and write
97FD000
stack
page read and write
BC3D000
stack
page read and write
1320000
heap
page read and write
97BE000
stack
page read and write
12CCE000
stack
page read and write
CEA000
stack
page read and write
E240000
heap
page read and write
F43000
heap
page read and write
15191000
heap
page read and write
15124000
heap
page read and write
1B6EE000
heap
page read and write
CFD000
stack
page read and write
14A0000
heap
page read and write
1EF000
stack
page read and write
148E000
stack
page read and write
1B481000
direct allocation
page execute read
1B68F000
direct allocation
page readonly
100C000
heap
page read and write
1565D000
heap
page read and write
15722000
heap
page read and write
FBA000
heap
page read and write
1B6C2000
direct allocation
page read and write
438000
remote allocation
page execute and read and write
12FD000
stack
page read and write
6EFE000
stack
page read and write
1551D000
heap
page read and write
572000
remote allocation
page execute and read and write
B0D000
unkown
page readonly
BC7B000
stack
page read and write
15724000
heap
page read and write
104A000
heap
page read and write
B0D000
unkown
page readonly
CF2000
stack
page read and write
1B68D000
direct allocation
page execute read
6CA35000
unkown
page readonly
AB0000
unkown
page readonly
6CA2E000
unkown
page read and write
43C000
remote allocation
page execute and read and write
96C000
stack
page read and write
154AE000
stack
page read and write
96BE000
stack
page read and write
There are 133 hidden memdumps, click here to show them.