IOC Report
file.exe

loading gif

Files

File Path
Type
Category
Malicious
file.exe
PE32 executable (console) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\BFHJECAAAFHIJKFIJEGC
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\BGCBGCAFIIECBFIDHIJKFBAKEG
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
dropped
C:\ProgramData\BGIDBKKKKKFBGDGDHIDB
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\DAFBGHCAKKFCAKEBKJKKFBAFCB
SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
dropped
C:\ProgramData\GCBKFBFC
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\GHDHJEBF
SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\IIEHCFID
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
dropped
C:\ProgramData\IIEHCFIDHIDGIDHJEHIDAECFHD
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\IJKKEHJD
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\JDAKJJDBGCAKKFHIJEGHCGHJKJ
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\76561199673019888[1].htm
HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sqln[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm
data
dropped
There are 17 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\file.exe
"C:\Users\user\Desktop\file.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
 malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
https://duckduckgo.com/chrome_newtab
unknown
https://player.vimeo.com
unknown
https://duckduckgo.com/ac/?q=
unknown
https://37.27.87.155/nd-point:M
unknown
https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
unknown
https://steamcommunity.com/?subsection=broadcasts
unknown
https://37.27.87.155/RHV
unknown
https://37.27.87.155/sqln.dll
37.27.87.155
https://store.steampowered.com/subscriber_agreement/
unknown
https://www.gstatic.cn/recaptcha/
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
unknown
https://37.27.87.155/lV
unknown
http://www.valvesoftware.com/legal.htm
unknown
https://www.youtube.com
unknown
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
unknown
https://www.google.com
unknown
https://37.27.87.155/msvcp140.dllQ
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
unknown
https://37.27.87.155/softokn3.dll
37.27.87.155
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
unknown
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
unknown
https://steamcommunity.com/profiles/76561199673019888J
unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
unknown
https://s.ytimg.com;
unknown
https://steam.tv/
unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
unknown
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jU8h8CqVh6FY&l=e
unknown
http://www.mozilla.com/en-US/blocklist/
unknown
https://37.27.87.155/nss3.dll
37.27.87.155
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
unknown
https://mozilla.org0/
unknown
https://37.27.87.155/vcruntime140.dllx
unknown
https://37.27.87.155/vcruntime140.dll
37.27.87.155
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
unknown
http://store.steampowered.com/privacy_agreement/
unknown
https://store.steampowered.com/points/shop/
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
https://sketchfab.com
unknown
https://steamcommunity.com/profiles/76561199673019888/badges
unknown
https://www.ecosia.org/newtab/
unknown
https://lv.queniujq.cn
unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
unknown
https://www.youtube.com/
unknown
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
unknown
https://store.steampowered.com/privacy_agreement/
unknown
https://37.27.87.155/DV
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
unknown
https://37.27.87.155/msvcp140.dll
37.27.87.155
https://37.27.87.155NT
unknown
https://www.google.com/recaptcha/
unknown
https://37.27.87.155/
37.27.87.155
https://checkout.steampowered.com/
unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
unknown
https://37.27.87.155/df
unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
unknown
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
unknown
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
unknown
https://store.steampowered.com/;
unknown
https://store.steampowered.com/about/
unknown
https://steamcommunity.com/my/wishlist/
unknown
https://t.me/irfailAt
unknown
https://37.27.87.155/freebl3.dll
37.27.87.155
https://help.steampowered.com/en/
unknown
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
unknown
https://steamcommunity.com/market/
unknown
https://store.steampowered.com/news/
unknown
https://community.akamai.steamstatic.com/
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
http://store.steampowered.com/subscriber_agreement/
unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
unknown
https://recaptcha.net/recaptcha/;
unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
unknown
https://steamcommunity.com/discussions/
unknown
https://store.steampowered.com/stats/
unknown
https://medal.tv
unknown
https://broadcast.st.dl.eccdnx.com
unknown
https://37.27.87.155/of
unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
unknown
https://store.steampowered.com/steam_refunds/
unknown
https://37.27.87.155GDBAF
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://37.27.87.155/ontdesk
unknown
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
unknown
https://steamcommunity.com/workshop/
unknown
https://login.steampowered.com/
unknown
https://t.me/irfail
unknown
https://37.27.87.155/B
unknown
https://store.steampowered.com/legal/
unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
unknown
http://www.sqlite.org/copyright.html.
unknown
https://37.27.87.155/mozglue.dll3
unknown
https://37.27.87.155/w
unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
unknown
There are 90 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
steamcommunity.com
23.76.43.59

IPs

IP
Domain
Country
Malicious
37.27.87.155
unknown
Iran (ISLAMIC Republic Of)
23.76.43.59
steamcommunity.com
United States

Memdumps

Base Address
Regiontype
Protect
Malicious
F4D000
heap
page read and write
 malicious
E2D000
unkown
page read and write
 malicious
400000
remote allocation
page execute and read and write
 malicious
10D1E000
stack
page read and write
CFC000
stack
page read and write
6D0000
heap
page read and write
19A7E000
stack
page read and write
D7E000
stack
page read and write
D3E000
stack
page read and write
13420000
heap
page read and write
6D09E000
unkown
page read and write
6D011000
unkown
page execute read
6D290000
unkown
page read and write
99AE000
stack
page read and write
8AE000
heap
page read and write
790000
heap
page read and write
8AA000
heap
page read and write
118E000
heap
page read and write
19B80000
heap
page read and write
13675000
heap
page read and write
C02D000
stack
page read and write
C06D000
stack
page read and write
70EF000
stack
page read and write
93C000
stack
page read and write
6D08D000
unkown
page readonly
514000
remote allocation
page execute and read and write
E01000
unkown
page execute read
9AAF000
stack
page read and write
9A0000
heap
page read and write
CF8000
stack
page read and write
1367C000
heap
page read and write
13883000
heap
page read and write
133CC000
stack
page read and write
FCD000
heap
page read and write
105A000
heap
page read and write
6D0A2000
unkown
page readonly
E23000
unkown
page readonly
6EDF1000
unkown
page execute read
FE3000
heap
page read and write
962E000
stack
page read and write
8A0000
heap
page read and write
51A000
remote allocation
page execute and read and write
E63000
unkown
page readonly
9E0000
heap
page read and write
6EDF0000
unkown
page readonly
E00000
unkown
page readonly
6D295000
unkown
page readonly
D90000
heap
page read and write
1111000
heap
page read and write
197EF000
direct allocation
page readonly
E01000
unkown
page execute read
103A000
heap
page read and write
F1F000
heap
page read and write
E5AC000
stack
page read and write
6EE06000
unkown
page readonly
A9F000
stack
page read and write
19BF1000
heap
page read and write
6EE0F000
unkown
page readonly
E00000
unkown
page readonly
2590000
heap
page read and write
E23000
unkown
page readonly
1982F000
direct allocation
page readonly
13881000
heap
page read and write
558000
remote allocation
page execute and read and write
75E000
stack
page read and write
6D28F000
unkown
page write copy
6D0B0000
unkown
page readonly
6D28E000
unkown
page read and write
9EA000
heap
page read and write
E5FE000
stack
page read and write
CF3000
stack
page read and write
195E8000
direct allocation
page execute read
10F1000
heap
page read and write
132CB000
stack
page read and write
511000
remote allocation
page execute and read and write
E62000
unkown
page read and write
1353A000
heap
page read and write
CEB000
stack
page read and write
E6FF000
stack
page read and write
1982A000
direct allocation
page readonly
ED0000
heap
page read and write
E63000
unkown
page readonly
6EE0D000
unkown
page read and write
1C2CF000
stack
page read and write
E61000
unkown
page execute and read and write
CEF000
stack
page read and write
137BC000
heap
page read and write
71E000
stack
page read and write
197F8000
direct allocation
page readonly
3F0000
heap
page read and write
1325F000
stack
page read and write
39D000
stack
page read and write
19B85000
heap
page read and write
6D010000
unkown
page readonly
1982D000
direct allocation
page readonly
FBF000
heap
page read and write
19822000
direct allocation
page read and write
195E0000
direct allocation
page execute and read and write
13430000
heap
page read and write
101D000
heap
page read and write
6D24F000
unkown
page readonly
63F000
remote allocation
page execute and read and write
E2D000
unkown
page write copy
89F000
stack
page read and write
434000
remote allocation
page execute and read and write
19C04000
heap
page read and write
DB0000
heap
page read and write
9AEE000
stack
page read and write
137DA000
heap
page read and write
195E1000
direct allocation
page execute read
10C8D000
stack
page read and write
DB5000
heap
page read and write
5F1000
remote allocation
page execute and read and write
29C000
stack
page read and write
F42000
heap
page read and write
19746000
direct allocation
page execute read
6D0B1000
unkown
page execute read
9B0000
heap
page read and write
13270000
heap
page read and write
EDA000
heap
page read and write
197ED000
direct allocation
page execute read
1132000
heap
page read and write
E74E000
stack
page read and write
There are 113 hidden memdumps, click here to show them.