IOC Report
qlI3ReINCV.exe

loading gif

Files

File Path
Type
Category
Malicious
qlI3ReINCV.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\ProgramData\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\ProgramData\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\LedgerUpdater[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\DBFHCGCGDA.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\AAKEGDAK
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\BFBFBFIIJDAKECAKKJEH
ASCII text, with very long lines (1809), with CRLF line terminators
dropped
C:\ProgramData\FBFHJJJDAFBKEBGDGHCGDBKJEC
SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
dropped
C:\ProgramData\HIDAKFIJJKJJJKEBKJEH
SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\JDGCFBAF
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\JDGIIDHJEBGIDHJJDBKEHCAAAF
SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
dropped
C:\ProgramData\KKFBAAFCGIEGDHIEBFII
SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
dropped
C:\ProgramData\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\ProgramData\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DBFHCGCGDA.exe.log
CSV text
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json
JSON data
dropped
C:\Users\user\AppData\Local\ledger_timestamp
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
data
dropped
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
data
dropped
Chrome Cache Entry: 77
ASCII text, with very long lines (7928)
downloaded
Chrome Cache Entry: 78
ASCII text, with very long lines (2586)
downloaded
Chrome Cache Entry: 79
ASCII text
downloaded
Chrome Cache Entry: 80
ASCII text, with very long lines (65531)
downloaded
Chrome Cache Entry: 81
ASCII text, with very long lines (1302)
downloaded
Chrome Cache Entry: 82
ASCII text, with very long lines (5162), with no line terminators
downloaded
Chrome Cache Entry: 83
SVG Scalable Vector Graphics image
downloaded
\Device\Null
ASCII text, with CRLF line terminators
dropped
There are 25 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\qlI3ReINCV.exe
"C:\Users\user\Desktop\qlI3ReINCV.exe"
malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
malicious
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=2236,i,11332820353393663667,15480934144007943570,262144 /prefetch:8
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\DBFHCGCGDA.exe"
malicious
C:\Users\user\AppData\Roaming\DBFHCGCGDA.exe
"C:\Users\user\AppData\Roaming\DBFHCGCGDA.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\AppData\Roaming\DBFHCGCGDA.exe
malicious
C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
http://62.204.41.163/2c3d53f1da5ea53a/freebl3.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/sqlite3.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/vcruntime140.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/nss3.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/mozglue.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/msvcp140.dll
62.204.41.163
malicious
http://62.204.41.163/2c3d53f1da5ea53a/softokn3.dll
62.204.41.163
malicious
http://62.204.41.163/16fa04073490929d.phpy=----CGIJKJJKEBGHJKFIDGCAult-release
unknown
https://duckduckgo.com/chrome_newtab
unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
unknown
https://duckduckgo.com/ac/?q=
unknown
http://www.broofa.com
unknown
https://duckduckgo.com/chp
unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
unknown
http://foo/View/MainWindow.xaml
unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
unknown
https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
unknown
http://62.204.41.163/
62.204.41.163
http://62.204.41.163/16fa04073490929d.php$
unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
unknown
http://62.204.41.1635/LedgerUpdater.exery=----s://support.mozilla.org/kb/customize-firefox-controls-
unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
unknown
https://duckduckgo.com/chpnacl
unknown
http://62.204.41.163
unknown
http://defaultcontainer/View/MainWindow.xaml
unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
142.250.186.164
https://apis.google.com
unknown
https://domains.google.com/suggest/flow
unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
unknown
http://defaultcontainer/View/MainWindow.xamld
unknown
http://www.sqlite.org/copyright.html.
unknown
http://www.mozilla.com/en-US/blocklist/
unknown
https://mozilla.org0/
unknown
http://62.204.41.163/16fa04073490929d.php
62.204.41.163
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
unknown
http://foo/View/MainWindow.xamld
unknown
http://62.204.41.163/2c3d53f1da5ea53a/nss3.dll7(
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
unknown
https://www.google.com/async/newtab_promos
142.250.186.164
http://176.113.115.215/LedgerUpdater.exe
176.113.115.215
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
unknown
https://www.ecosia.org/newtab/
unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
unknown
http://62.204.41.163/2c3d53f1da5ea53a/nss3.dll2
unknown
http://foo/bar/view/mainwindow.bamld
unknown
https://plus.google.com
unknown
http://62.204.41.163/j
unknown
https://ac.ecosia.org/autocomplete?q=
unknown
https://www.google.com/async/ddljson?async=ntp:2
142.250.186.164
https://play.google.com/log?format=json&hasfast=true
142.250.186.142
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
142.250.186.164
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SGzW6IeCawI.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AACA/rs=AHpOoo-5biO9jua-6zCEovdoDJ8SLzd6sw/cb=gapi.loaded_0
216.58.212.142
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
unknown
https://api.ipify.orgSSOFTWARE
unknown
https://support.mozilla.org
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
unknown
http://62.204.41.163/16fa04073490929d.php14
unknown
https://clients6.google.com
unknown
http://foo/bar/view/mainwindow.baml
unknown
There are 53 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
plus.l.google.com
216.58.212.142
play.google.com
142.250.186.142
www.google.com
142.250.186.164
apis.google.com
unknown

IPs

IP
Domain
Country
Malicious
192.168.2.4
unknown
unknown
malicious
2.2.2.2
unknown
France
malicious
62.204.41.163
unknown
United Kingdom
malicious
216.58.212.142
plus.l.google.com
United States
239.255.255.250
unknown
Reserved
176.113.115.215
unknown
Russian Federation
142.250.186.164
www.google.com
United States
142.250.186.142
play.google.com
United States
127.0.0.1
unknown
unknown

Memdumps

Base Address
Regiontype
Protect
Malicious
6AB000
unkown
page readonly
malicious
124E000
heap
page read and write
malicious
6AB000
unkown
page readonly
malicious
1473000
heap
page read and write
114D000
trusted library allocation
page execute and read and write
58FF000
stack
page read and write
21795000
heap
page read and write
2C20000
heap
page read and write
14BD000
stack
page read and write
2178F000
heap
page read and write
5CBC000
stack
page read and write
2EAF000
unkown
page read and write
21795000
heap
page read and write
5E10000
trusted library allocation
page read and write
8CA000
unkown
page readonly
2CD5000
heap
page read and write
2B70000
heap
page read and write
2178F000
heap
page read and write
2BDF000
stack
page read and write
1B3DC000
stack
page read and write
21784000
heap
page read and write
1470000
heap
page read and write
2177D000
heap
page read and write
1B18E000
stack
page read and write
1B02E000
stack
page read and write
21787000
heap
page read and write
1165000
trusted library allocation
page execute and read and write
2177F000
heap
page read and write
2178F000
heap
page read and write
53A0000
heap
page execute and read and write
2195E000
heap
page read and write
21795000
heap
page read and write
2177F000
heap
page read and write
1167000
trusted library allocation
page execute and read and write
21784000
heap
page read and write
21787000
heap
page read and write
61ED3000
direct allocation
page read and write
540E000
stack
page read and write
1B42E000
stack
page read and write
5BBC000
stack
page read and write
21787000
heap
page read and write
5A3E000
stack
page read and write
61ED4000
direct allocation
page readonly
2177D000
heap
page read and write
12AA000
heap
page read and write
21B74000
heap
page read and write
21795000
heap
page read and write
1B5B0000
heap
page read and write
1B6B0000
trusted library allocation
page read and write
2177F000
heap
page read and write
2AFD000
stack
page read and write
15BE000
stack
page read and write
1291000
heap
page read and write
F7E000
stack
page read and write
2F50000
heap
page read and write
2CB0000
heap
page execute and read and write
F20000
heap
page read and write
21795000
heap
page read and write
1B28F000
stack
page read and write
6C6D5000
unkown
page readonly
5CFE000
stack
page read and write
1156000
trusted library allocation
page execute and read and write
6C68F000
unkown
page readonly
557E000
stack
page read and write
2177A000
heap
page read and write
704000
unkown
page read and write
217A0000
heap
page read and write
1B52D000
stack
page read and write
FE0000
trusted library allocation
page read and write
680000
unkown
page readonly
219CE000
stack
page read and write
113E000
stack
page read and write
27FD000
stack
page read and write
2177F000
heap
page read and write
2178F000
heap
page read and write
74C000
unkown
page read and write
FF0000
heap
page read and write
2177F000
heap
page read and write
1AFEF000
stack
page read and write
21880000
heap
page read and write
2177B000
heap
page read and write
1B12E000
stack
page read and write
291A1000
heap
page read and write
217A0000
heap
page read and write
2165E000
stack
page read and write
21B66000
heap
page read and write
2BF0000
trusted library allocation
page read and write
61E00000
direct allocation
page execute and read and write
1B5A0000
heap
page read and write
5470000
heap
page read and write
A30000
unkown
page readonly
143F000
stack
page read and write
2177F000
heap
page read and write
2178F000
heap
page read and write
21952000
heap
page read and write
217A0000
heap
page read and write
2178F000
heap
page read and write
2177D000
heap
page read and write
2176E000
heap
page read and write
21785000
heap
page read and write
3DCD000
trusted library allocation
page read and write
21784000
heap
page read and write
1B6BD000
heap
page read and write
21777000
heap
page read and write
2177A000
heap
page read and write
1180000
trusted library allocation
page read and write
21787000
heap
page read and write
217A0000
heap
page read and write
61EB4000
direct allocation
page read and write
1ADAE000
stack
page read and write
21787000
heap
page read and write
1208000
heap
page read and write
21760000
trusted library allocation
page read and write
A32000
unkown
page readonly
FE3000
trusted library allocation
page execute and read and write
2DC1000
trusted library allocation
page read and write
21795000
heap
page read and write
2178F000
heap
page read and write
2177D000
heap
page read and write
6C451000
unkown
page execute read
FD0000
trusted library allocation
page read and write
8B8000
unkown
page read and write
2177C000
heap
page read and write
2178F000
heap
page read and write
12AE000
heap
page read and write
21795000
heap
page read and write
21B7A000
heap
page read and write
21772000
heap
page read and write
217A0000
heap
page read and write
217A0000
heap
page read and write
6B7000
unkown
page write copy
2C8E000
unkown
page read and write
2B50000
heap
page read and write
21760000
trusted library allocation
page read and write
1152000
trusted library allocation
page read and write
735000
unkown
page read and write
2178A000
heap
page read and write
6C4DE000
unkown
page read and write
28C5C000
heap
page read and write
21787000
heap
page read and write
2177F000
heap
page read and write
21787000
heap
page read and write
2CB0000
heap
page read and write
1AEEE000
stack
page read and write
2177F000
heap
page read and write
21787000
heap
page read and write
F90000
heap
page read and write
21787000
heap
page read and write
2177F000
heap
page read and write
217A0000
heap
page read and write
11D0000
trusted library allocation
page execute and read and write
21795000
heap
page read and write
11CE000
stack
page read and write
116B000
trusted library allocation
page execute and read and write
147C000
heap
page read and write
10F8000
stack
page read and write
21795000
heap
page read and write
1150000
trusted library allocation
page read and write
2E32000
trusted library allocation
page read and write
21787000
heap
page read and write
E40000
heap
page read and write
217A0000
heap
page read and write
2179A000
heap
page read and write
2175D000
stack
page read and write
11E7000
heap
page read and write
11D0000
heap
page read and write
3DC1000
trusted library allocation
page read and write
FE4000
trusted library allocation
page read and write
5A7E000
stack
page read and write
2178F000
heap
page read and write
61ED0000
direct allocation
page read and write
21764000
heap
page read and write
2CBB000
heap
page read and write
217A0000
heap
page read and write
21B6E000
heap
page read and write
2DBE000
stack
page read and write
2C90000
heap
page read and write
21781000
heap
page read and write
21784000
heap
page read and write
2177D000
heap
page read and write
6B7000
unkown
page write copy
21771000
heap
page read and write
1222000
heap
page read and write
2C30000
heap
page read and write
D9B000
stack
page read and write
217A0000
heap
page read and write
2176D000
heap
page read and write
21781000
heap
page read and write
2177A000
heap
page read and write
217A0000
heap
page read and write
7E7000
unkown
page read and write
217B5000
heap
page read and write
6C6D0000
unkown
page read and write
8CA000
unkown
page readonly
2176E000
heap
page read and write
1B2DE000
stack
page read and write
1269000
heap
page read and write
218A1000
heap
page read and write
6C4F1000
unkown
page execute read
2178F000
heap
page read and write
6C4CD000
unkown
page readonly
2178F000
heap
page read and write
5B7E000
stack
page read and write
1149000
trusted library allocation
page read and write
11E8000
heap
page read and write
DF0000
heap
page read and write
10F3000
stack
page read and write
1287000
heap
page read and write
314F000
stack
page read and write
12AC000
heap
page read and write
5DFE000
stack
page read and write
2178F000
heap
page read and write
2858A000
heap
page read and write
6C4F0000
unkown
page readonly
56BE000
stack
page read and write
127E000
heap
page read and write
681000
unkown
page execute and write copy
2194F000
heap
page read and write
11E5000
heap
page read and write
FF5000
heap
page read and write
4F5D000
stack
page read and write
57BE000
stack
page read and write
11E0000
heap
page read and write
2178F000
heap
page read and write
5390000
trusted library allocation
page read and write
2178F000
heap
page read and write
29160000
heap
page read and write
2F40000
heap
page read and write
681000
unkown
page execute and write copy
1AD50000
heap
page read and write
217A0000
heap
page read and write
21795000
heap
page read and write
11E0000
heap
page read and write
217B4000
heap
page read and write
2177D000
heap
page read and write
14C0000
heap
page read and write
21760000
heap
page read and write
21771000
heap
page read and write
217A0000
heap
page read and write
217A0000
heap
page read and write
11EE000
heap
page read and write
61EB7000
direct allocation
page readonly
2E69000
trusted library allocation
page read and write
3DC9000
trusted library allocation
page read and write
21787000
heap
page read and write
2178F000
heap
page read and write
21781000
heap
page read and write
2884C000
stack
page read and write
2177B000
heap
page read and write
1215000
heap
page read and write
14AC000
stack
page read and write
124A000
heap
page read and write
3DD1000
trusted library allocation
page read and write
21795000
heap
page read and write
10FF000
stack
page read and write
21783000
heap
page read and write
1AEAF000
stack
page read and write
21B10000
heap
page read and write
593E000
stack
page read and write
2178F000
heap
page read and write
2177F000
heap
page read and write
21768000
heap
page read and write
2178F000
heap
page read and write
6C6CE000
unkown
page read and write
6C4E2000
unkown
page readonly
21795000
heap
page read and write
5474000
heap
page read and write
2177F000
heap
page read and write
1B5B1000
heap
page read and write
FED000
trusted library allocation
page execute and read and write
2176D000
heap
page read and write
21902000
heap
page read and write
57FE000
stack
page read and write
2178F000
heap
page read and write
10FE000
stack
page read and write
61E01000
direct allocation
page execute read
1140000
trusted library allocation
page read and write
BD8000
stack
page read and write
21ACF000
stack
page read and write
21795000
heap
page read and write
28580000
heap
page read and write
21860000
heap
page read and write
1162000
trusted library allocation
page read and write
217B4000
heap
page read and write
21784000
heap
page read and write
122E000
stack
page read and write
6C450000
unkown
page readonly
2178F000
heap
page read and write
680000
unkown
page readonly
217B4000
heap
page read and write
1240000
heap
page read and write
21907000
heap
page read and write
2EEE000
stack
page read and write
61ECC000
direct allocation
page read and write
61ECD000
direct allocation
page readonly
2178F000
heap
page read and write
1160000
trusted library allocation
page read and write
14B0000
trusted library allocation
page read and write
2CD0000
heap
page read and write
286CC000
stack
page read and write
6C6CF000
unkown
page write copy
21B72000
heap
page read and write
29179000
heap
page read and write
F30000
heap
page read and write
ADA000
stack
page read and write
2177D000
heap
page read and write
115A000
trusted library allocation
page execute and read and write
There are 297 hidden memdumps, click here to show them.