IOCReport

loading gif

Files

File Path
Type
Category
Malicious
Complaint-1091191320-02182021.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:41:44 2021, Security: 0
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\suspendedpage[1].htm
HTML document, ASCII text
downloaded
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\suspendedpage[1].htm
HTML document, UTF-8 Unicode text, with CRLF line terminators
downloaded
 clean
C:\Users\user\AppData\Local\Temp\FCCE0000
data
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint-1091191320-02182021.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue Feb 23 05:50:37 2021, atime=Tue Feb 23 05:50:37 2021, length=58880, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 05:50:37 2021, atime=Tue Feb 23 05:50:37 2021, length=8192, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\Desktop\8DCE0000
Applesoft BASIC program data, first line number 16
dropped
 clean
C:\Users\user\JDFR.hdfgr1
HTML document, UTF-8 Unicode text, with CRLF line terminators
dropped
 clean
C:\Users\user\JDFR.hdfgr4
HTML document, ASCII text
dropped
 clean

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\JDFR.hdfgr,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\JDFR.hdfgr1,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\JDFR.hdfgr2,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\JDFR.hdfgr3,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\JDFR.hdfgr4,DllRegisterServer
 malicious

URLs

Name
IP
Malicious
http://chandni.pk/cgi-sys/suspendedpage.cgi
192.185.16.95
 malicious
http://batikentklinik.com/qtuofsxtov/44249951829861100000.dat
2.59.117.215
 malicious
http://7ruzezendegi.com/samsgtlfwzt/44249951829861100000.dat
185.159.153.72
 malicious
http://7ruzezendegi.com/cgi-sys/suspendedpage.cgi
185.159.153.72
 malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
 clean
http://www.windows.com/pctv.
unknown
 clean
http://investor.msn.com
unknown
 clean
http://www.msnbc.com/news/ticker.txt
unknown
 clean
http://www.icra.org/vocabulary/.
unknown
 clean
http://investor.msn.com/
unknown
 clean
http://chandni.pk/ictrljsfuh/44249951829861100000.dat
192.185.16.95
 clean
http://dindorf.com.ar/ntpnttfypqs/44249951829861100000.dat
181.88.192.136
 clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
 clean
http://www.hotmail.com/oe
unknown
 clean
There are 4 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
dindorf.com.ar
181.88.192.136
 clean
batikentklinik.com
2.59.117.215
 clean
chandni.pk
192.185.16.95
 clean
miaovideo.com
112.125.131.128
 clean
7ruzezendegi.com
185.159.153.72
 clean

IPs

IP
Domain
Country
Active
Malicious
185.159.153.72
unknown
Iran (ISLAMIC Republic Of)
unknown
 clean
181.88.192.136
unknown
Argentina
unknown
 clean
112.125.131.128
unknown
China
unknown
 clean
2.59.117.215
unknown
Turkey
unknown
 clean
192.185.16.95
unknown
United States
unknown
 clean

Registry

Path
Value
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
)'4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
MTTT
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ReviewToken
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC996
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
VBAFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DefaultSheetR2L
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
UseSystemSeparators
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ThousandsSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DecimalSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 9
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 11
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 12
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 13
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 14
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 15
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 16
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 17
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 18
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 19
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 20
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ECBC8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ECC92
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE