IOC Report
KEQprG0zDB.exe

loading gif

Files

File Path
Type
Category
Malicious
KEQprG0zDB.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\ProgramData\BGIIDAEBGCAAECAKFHII
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\EBGIEGCFHCFHIDHIJECA
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\GDHIEHJEBAAFIDHJEBGIEBFIJK
SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
dropped
C:\ProgramData\GHJDBAKE
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
dropped
C:\ProgramData\IIJDBAKKKFBFHIDGIIEHIDBGCA
SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
dropped
C:\ProgramData\KJDGIJEC
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\ProgramData\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\KEQprG0zDB.exe
"C:\Users\user\Desktop\KEQprG0zDB.exe"
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
malicious

URLs

Name
IP
Malicious
http://217.138.215.82/ec72081014d386e4/vcruntime140.dll
217.138.215.82
malicious
http://217.138.215.82/
217.138.215.82
malicious
http://217.138.215.82/ec72081014d386e4/softokn3.dll
217.138.215.82
malicious
http://217.138.215.82/ec72081014d386e4/mozglue.dll
217.138.215.82
malicious
http://217.138.215.82/ec72081014d386e4/nss3.dll
217.138.215.82
malicious
http://217.138.215.82/ec72081014d386e4/freebl3.dll
217.138.215.82
malicious
http://217.138.215.82
unknown
malicious
http://217.138.215.82/ec72081014d386e4/sqlite3.dll
217.138.215.82
malicious
http://217.138.215.82/ec72081014d386e4/msvcp140.dll
217.138.215.82
malicious
http://217.138.215.82/8c77d85de581124b.php
217.138.215.82
malicious
http://217.138.2
unknown
malicious
http://217.138.215.82/ec72081014d386e4/msvcp140.dlli
unknown
https://duckduckgo.com/chrome_newtab
unknown
http://217.138.215.82/ec72081014d386e4/nss3.dllser
unknown
http://217.138.215.82/ec72081014d386e4/softokn3.dll1
unknown
https://duckduckgo.com/ac/?q=
unknown
https://github.com/mgravell/protobuf-netJ
unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
unknown
http://ocsp.sectigo.com0
unknown
http://217.138.215.82/ec72081014d386e4/mozglue.dllO
unknown
http://217.138.215.82/ec72081014d386e4/Softwareer
unknown
http://217.138.215.82/ec72081014d386e4/vcruntime140.dll1014d386e4/nss3.dll
unknown
http://217.138.215.82/ec72081014d386e4/msvcp140.dllu
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
unknown
http://217.138.215.82/8c77d85de581124b.phpdge
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
unknown
http://217.138.215.82/ec72081014d386e4/mozglue.dll33e6ea656ba6edffae7a9tionComponentcal
unknown
http://217.138.215.82/ec72081014d386e4/mozglue.dll=
unknown
http://217.138.215.82ec72081014d386e4/sqlite3.dllnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZG
unknown
http://217.138.215.82/8c77d85de581124b.phptware
unknown
http://217.138.215.82/ec72081014d386e4/sqlite3.dllQ
unknown
http://217.138.215.82/ec72081014d386e4/nss3.dll9
unknown
http://217.138.215.828c77d85de581124b.phprowser
unknown
https://github.com/mgravell/protobuf-neti
unknown
http://217.138.215.82/ec72081014d386e4/mozglue.dllera
unknown
http://217.138.215.82/ec72081014d386e4/mozglue.dll/
unknown
https://stackoverflow.com/q/11564914/23354;
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown