IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\KECBFBAEBKJJ\BFCFBK
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\KECBFBAEBKJJ\CBAKJE
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\KECBFBAEBKJJ\DHDHCG
ASCII text, with very long lines (1717), with CRLF line terminators
dropped
C:\ProgramData\KECBFBAEBKJJ\DHIDHI
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\KECBFBAEBKJJ\DHIDHI-shm
data
dropped
C:\ProgramData\KECBFBAEBKJJ\FCAAEB
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
dropped
C:\ProgramData\KECBFBAEBKJJ\FHCGCF
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\KECBFBAEBKJJ\FIEGCB
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
dropped
C:\ProgramData\KECBFBAEBKJJ\FIIEHJ
SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
dropped
C:\ProgramData\KECBFBAEBKJJ\HCAEBF
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\KECBFBAEBKJJ\HCAEBF-shm
data
dropped
C:\ProgramData\KECBFBAEBKJJ\IJECAE
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\KECBFBAEBKJJ\KEGCBF
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\KECBFBAEBKJJ\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\KECBFBAEBKJJ\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\KECBFBAEBKJJ\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\KECBFBAEBKJJ\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\KECBFBAEBKJJ\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\KECBFBAEBKJJ\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\sqls[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199689717899[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (3063), with CRLF, LF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
There are 18 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KECBFBAEBKJJ" & exit
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\timeout.exe
timeout /t 10

URLs

Name
IP
Malicious
https://steamcommunity.com/profiles/76561199689717899
104.102.42.29
 malicious
https://steamcommunity.com/
unknown
 malicious
https://duckduckgo.com/chrome_newtab
unknown
https://duckduckgo.com/ac/?q=
unknown
https://steamcommunity.com/profiles/76561199689717899W
unknown
https://steamcommunity.com/?subsection=broadcasts
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
unknown
https://65.109.242.59/
65.109.242.59
https://store.steampowered.com/subscriber_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=7tll
unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
unknown
https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
unknown
http://www.valvesoftware.com/legal.htm
unknown
https://65.109.242.59/nss3.dll
65.109.242.59
https://65.109.242.59/mozglue.dllk
unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
unknown
https://t.me/copterwin
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=E0c90DJSB6Ld&
unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
unknown
https://65.109.242.59/softokn3.dll
65.109.242.59
http://www.mozilla.com/en-US/blocklist/
unknown
https://steamcommunity.com/m
unknown
https://mozilla.org0/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
unknown
http://store.steampowered.com/privacy_agreement/
unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
unknown
https://store.steampowered.com/points/shop/
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
unknown
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
unknown
https://www.ecosia.org/newtab/
unknown
https://65.109.242.59/freebl3.dll
65.109.242.59
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
unknown
https://store.steampowered.com/privacy_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
unknown
https://65.109.242.59JDGC
unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
unknown
https://steamcommunity.com/~fRct
unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
unknown
https://store.steampowered.com/about/
unknown
https://steamcommunity.com/my/wishlist/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
unknown
https://65.109.242.59/mozglue.dll
65.109.242.59
https://65.109.242.59/vcruntime140.dll
65.109.242.59
https://65.109.242.59/sqls.dll
65.109.242.59
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heade
unknown
https://help.steampowered.com/en/
unknown
https://steamcommunity.com/market/
unknown
https://store.steampowered.com/news/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
http://store.steampowered.com/subscriber_agreement/
unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
unknown
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
unknown
https://steamcommunity.com/discussions/
unknown
https://store.steampowered.com/stats/
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
unknown
https://store.steampowered.com/steam_refunds/
unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
unknown
https://steamcommunity.com/workshop/
unknown
https://65.109.242.59GIDA
unknown
https://steamcommunity.com/profiles/76561199689717899/badges
unknown
https://store.steampowered.com/legal/
unknown
http://www.sqlite.org/copyright.html.
unknown
https://65.109.242.59
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
unknown
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
unknown
https://steamcommunity.com/profiles/76561199689717899/inventory/
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
unknown
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
unknown
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=Hpc3R3GOIT
unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
unknown
https://store.steampowered.com/
unknown
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
unknown
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=1rP88j3WZLBx&amp
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
unknown
https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
unknown
http://store.steampowered.com/account/cookiepreferences/
unknown
https://store.steampowered.com/mobile
unknown
https://support.mozilla.org
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
unknown
https://65.109.242.59/msvcp140.dll
65.109.242.59
https://steamcommunity.com/login/ho
unknown
There are 90 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
steamcommunity.com
104.102.42.29
 malicious

IPs

IP
Domain
Country
Malicious
104.102.42.29
steamcommunity.com
United States
malicious
65.109.242.59
unknown
United States

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214EF-0000-0000-C000-000000000046} 0xFFFF

Memdumps

Base Address
Regiontype
Protect
Malicious
116E000
heap
page read and write
 malicious
3A7000
unkown
page read and write
 malicious
400000
remote allocation
page execute and read and write
 malicious
6CC31000
unkown
page execute read
F70000
heap
page read and write
135F000
stack
page read and write
2A7C000
stack
page read and write
2B70000
heap
page read and write
F6E000
stack
page read and write
A9D000
stack
page read and write
553000
remote allocation
page execute and read and write
52E000
remote allocation
page execute and read and write
10D0000
heap
page read and write
2B4E000
stack
page read and write
E1DF000
stack
page read and write
FD0000
heap
page read and write
CEE000
stack
page read and write
10BE000
stack
page read and write
19011000
direct allocation
page execute read
1132000
heap
page read and write
116A000
heap
page read and write
91C000
stack
page read and write
434000
remote allocation
page execute and read and write
107FE000
stack
page read and write
2C30000
heap
page read and write
E0E000
stack
page read and write
BF0000
heap
page read and write
97DF000
stack
page read and write
1160000
heap
page read and write
2B50000
heap
page read and write
E0DE000
stack
page read and write
116E000
heap
page read and write
21D9B000
stack
page read and write
381000
unkown
page execute read
1925F000
direct allocation
page readonly
12C3F000
stack
page read and write
EAE000
stack
page read and write
E22B000
stack
page read and write
12E9A000
stack
page read and write
12C54000
heap
page read and write
21E9B000
stack
page read and write
438000
remote allocation
page execute and read and write
10CD000
stack
page read and write
43C000
remote allocation
page execute and read and write
21D5D000
stack
page read and write
12C8000
heap
page read and write
1925D000
direct allocation
page readonly
19018000
direct allocation
page execute read
1248000
heap
page read and write
19010000
direct allocation
page execute and read and write
3D9000
unkown
page read and write
123A000
heap
page read and write
3A7000
unkown
page write copy
19176000
direct allocation
page execute read
EF5000
heap
page read and write
534000
remote allocation
page execute and read and write
12C50000
heap
page read and write
E10000
heap
page read and write
2AC0000
heap
page read and write
1158000
heap
page read and write
6CEB5000
unkown
page readonly
1956C000
stack
page read and write
132B7000
heap
page read and write
60B000
remote allocation
page execute and read and write
1925A000
direct allocation
page readonly
CFD000
stack
page read and write
6CCBE000
unkown
page read and write
19228000
direct allocation
page readonly
1288000
heap
page read and write
1320E000
heap
page read and write
19252000
direct allocation
page read and write
6CEB0000
unkown
page read and write
EE0000
direct allocation
page execute and read and write
EE5000
heap
page read and write
381000
unkown
page execute read
572000
remote allocation
page execute and read and write
145F000
stack
page read and write
4690000
heap
page read and write
CF2000
stack
page read and write
E09C000
stack
page read and write
2BFE000
stack
page read and write
2B0E000
stack
page read and write
1BABF000
stack
page read and write
380000
unkown
page readonly
6F5E000
stack
page read and write
6CCD1000
unkown
page execute read
39D000
unkown
page readonly
11D2000
heap
page read and write
CEA000
stack
page read and write
BC5D000
stack
page read and write
EE0000
heap
page read and write
12E8000
heap
page read and write
1381000
heap
page read and write
63F000
remote allocation
page execute and read and write
1921F000
direct allocation
page readonly
3DC000
unkown
page readonly
132B5000
heap
page read and write
990000
heap
page read and write
6CEAE000
unkown
page read and write
130A9000
heap
page read and write
135B000
heap
page read and write
6CCC2000
unkown
page readonly
1921D000
direct allocation
page execute read
106B0000
heap
page read and write
52B000
remote allocation
page execute and read and write
12F90000
heap
page read and write
ED0000
heap
page read and write
1066C000
stack
page read and write
3DC000
unkown
page readonly
980000
heap
page read and write
10DA000
heap
page read and write
6CEAF000
unkown
page write copy
6CCD0000
unkown
page readonly
12FA9000
heap
page read and write
BC1D000
stack
page read and write
12D9B000
stack
page read and write
2C38000
heap
page read and write
12CC0000
heap
page read and write
E30000
heap
page read and write
B9D000
stack
page read and write
39D000
unkown
page readonly
12CD3000
heap
page read and write
6CCAD000
unkown
page readonly
12F7E000
stack
page read and write
1308000
heap
page read and write
EF0000
heap
page read and write
6CC30000
unkown
page readonly
2A3C000
stack
page read and write
2BBE000
stack
page read and write
131F0000
heap
page read and write
939E000
stack
page read and write
380000
unkown
page readonly
12FB000
heap
page read and write
6CE6F000
unkown
page readonly
130B0000
heap
page read and write
9FE000
stack
page read and write
There are 126 hidden memdumps, click here to show them.