IOCReport

loading gif

Files

File Path
Type
Category
Malicious
document-1915351743.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 09:52:57 2021, Security: 0
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
downloaded
malicious
C:\Users\user\idefje.ekfd
PE32+ executable (DLL) (GUI) x86-64, for MS Windows
dropped
malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
dropped
clean
C:\Users\user\AppData\Local\Temp\Cab742.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
clean
C:\Users\user\AppData\Local\Temp\ECFE0000
data
dropped
clean
C:\Users\user\AppData\Local\Temp\Tar743.tmp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 03:13:50 2021, atime=Tue Feb 23 03:13:50 2021, length=8192, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1915351743.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Tue Feb 23 03:13:50 2021, atime=Tue Feb 23 03:13:50 2021, length=90112, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\Desktop\ADFE0000
Applesoft BASIC program data, first line number 16
dropped
clean
There are 2 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\idefje.ekfd,DllRegisterServer
malicious

URLs

Name
IP
Malicious
http://oskolko.uno/
206.189.10.247
malicious
https://twitter.com/awscloud
unknown
clean
https://a0.awsstatic.com/libra-css/images/logo
unknown
clean
https://a0.awsstatic.com/libra/1.0.373/libra-head.js
unknown
clean
https://amazon.com/Y
unknown
clean
https://aws.amazon.com/terms/?nc1=f_pr
unknown
clean
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
unknown
clean
https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
unknown
clean
https://aws.amazon.com/cn/
unknown
clean
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
unknown
clean
http://www.diginotar.nl/cps/pkioverheid0
unknown
clean
https://a0.awsstatic.com/libra-css/images
unknown
clean
https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js
unknown
clean
https://a0.awsstatic.com/psf/null
unknown
clean
https://aws.amazon.com/ar/
unknown
clean
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
unknown
clean
https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
unknown
clean
https://pages.awscloud.com/communication-preferences?trk=homepage
unknown
clean
http://ocsp.rootg2.amazontrust.com08
unknown
clean
https://aws.amazon.com/cn/?nc1=h_ls
unknown
clean
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
unknown
clean
https://aws.amazon.com/ru/
unknown
clean
https://aws.amazon.com/tw/?nc1=h_ls
unknown
clean
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
unknown
clean
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
unknown
clean
https://aws.amazon.com/ko/
unknown
clean
https://aws.amazon.com/ru/?nc1=h_ls
unknown
clean
https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
unknown
clean
https://aws.amazon.com/es/
unknown
clean
http://crl.sca1b.amazontrust.com/sca1b.crl0
unknown
clean
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
unknown
clean
https://aws.amazon.com/ar/?nc1=h_ls
unknown
clean
https://a0.awsstatic.com/libra-css/css/1.0.373/style-awsm.css
unknown
clean
https://aws.amazon.com/th/
unknown
clean
http://www.windows.com/pctv.
unknown
clean
https://a0.awsstatic.com/pricing-calculator/js/1.0.2
unknown
clean
https://aws.amazon.com/marketplace/?nc2=h_mo
unknown
clean
http://ocsp.sca1b.amazontrust.com06
unknown
clean
http://oskolko.uno/om/
unknown
clean
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
unknown
clean
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
unknown
clean
http://crl.rootca1.amazontrust.com/rootca1.crl0
unknown
clean
https://aws.amazon.com/search/
unknown
clean
https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
unknown
clean
https://aws.amazon.com/?nc2=h_lg
unknown
clean
http://ocsp.rootca1.amazontrust.com0:
unknown
clean
https://console.aws.amazon.com/support/home/?nc1=f_dr
unknown
clean
https://aws.amazon.com/fr/
unknown
clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
clean
https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
unknown
clean
https://aws.amazon.com/vi/
unknown
clean
https://www.twitch.tv/aws
unknown
clean
https://a0.awsstatic.com/aws-blog/1.0.34/js
unknown
clean
https://aws.amazon.com/marketplace/?nc2=h_ql_mp
unknown
clean
https://aws.amazon.com/search
unknown
clean
http://crl.rootg2.amazontrust.com/rootg2.crl0
unknown
clean
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
unknown
clean
https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
unknown
clean
https://aws.amazon.com/tw/
unknown
clean
https://aws.amazon.com/tr/?nc1=h_ls
unknown
clean
https://console.aws.amazon.com/?nc2=h_m_mc
unknown
clean
https://aws.amazon.com/fr/?nc1=h_ls
unknown
clean
http://o.ss2.us/0
unknown
clean
https://aws.amazon.com/search/?searchQuery=
unknown
clean
https://a0.awsstatic.com/libra-search/1.0.13/js
unknown
clean