IOCReport

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak
SQLite 3.x database, last written using SQLite version 3032001
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
SQLite 3.x database, last written using SQLite version 3032001
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
SQLite 3.x database, last written using SQLite version 3032001
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
downloaded
malicious
C:\Users\user\BASE.BABAA
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
dropped
clean
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.bak
ASCII text, with very long lines, with no line terminators
dropped
clean
C:\Users\user\AppData\Local\Temp\40DE0000
data
dropped
clean
C:\Users\user\AppData\Local\Temp\CabE466.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\Local\Temp\TarE467.tmp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 09:03:39 2021, atime=Sat Feb 20 09:03:39 2021, length=8192, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen3.10350.15803.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 20 09:03:26 2021, mtime=Sat Feb 20 09:03:39 2021, atime=Sat Feb 20 09:03:39 2021, length=168448, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\QNetMonitor7737977537\SecurityPreloadState.txt
ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\QNetMonitor7737977537\cn\aexsxmcq.txt
data
modified
clean
C:\Users\user\AppData\Roaming\QNetMonitor7737977537\en-EN\pwgrab64
data
dropped
clean
C:\Users\user\Desktop\D3DE0000
Applesoft BASIC program data, first line number 16
dropped
clean
There are 9 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\BASE.BABAA,DllRegisterServer
malicious
C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\BASE.BABAA,DllRegisterServer
malicious
C:\Windows\System32\wermgr.exe
C:\Windows\system32\wermgr.exe
malicious
C:\Windows\System32\wermgr.exe
C:\Windows\system32\wermgr.exe
malicious
C:\Windows\System32\rundll32.exe
C:\Windows\system32\rundll32.EXE 'C:\Users\user\AppData\Roaming\QNetMonitor7737977537\rpBASEtx.rrd',DllRegisterServer
malicious
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
malicious
C:\Windows\System32\taskeng.exe
taskeng.exe {DA6299CA-95CA-4E9D-8945-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
clean

URLs

Name
IP
Malicious
http://www.chipmania.it/mails/open.php
185.81.0.78
malicious
https://116.68.162.92:443/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/83/
116.68.162.92
malicious
http://www.windows.com/pctv.
unknown
clean
http://109.69.4.201:443
unknown
clean
http://123.231.180.130:443
unknown
clean
http://investor.msn.com
unknown
clean
http://www.msnbc.com/news/ticker.txt
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//3
unknown
clean
http://crl.entrust.net/server1.crl0
unknown
clean
http://ocsp.entrust.net03
unknown
clean
http://116.68.162.92:443
unknown
clean
http://crl.use
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/o
unknown
clean
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
unknown
clean
http://www.diginotar.nl/cps/pkioverheid0
unknown
clean
https://185.109.54.99:447/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/5/pwgrab64/
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
http://www.hotmail.com/oe
unknown
clean
http://190.239.34.181:443
unknown
clean
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DPST//W
unknown
clean
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
unknown
clean
http://www.icra.org/vocabulary/.
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
Https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/bnfhZJn91PhwAc8eqCIkI2c
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/U
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/1/rznnTbpNFJV19x1x/
unknown
clean
http://154.0.134.130:443
unknown
clean
http://187.95.136.38:443
unknown
clean
http://investor.msn.com/
unknown
clean
http://logo.veri
unknown
clean
http://www.%s.comPA
unknown
clean
https://193.8.194.96/rob60/813435_W617601.8B73F080286CDBB0F9B96995D4E87F7B/64/pwgrab/DEBG//e
unknown
clean
http://ocsp.entrust.net0D
unknown
clean
http://wtfismyip.com/text
95.217.228.176
clean
https://secure.comodo.com/CPS0
unknown
clean