IOCReport

loading gif

Files

File Path
Type
Category
Malicious
Complaint_Letter_1186814227-02192021.xls
Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 09:43:01 2021, Security: 0
initial sample
 malicious
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
data
dropped
 clean
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
data
dropped
 clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44250678185879600000[1].htm
HTML document, ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\AppData\Local\Temp\B1CE0000
data
dropped
 clean
C:\Users\user\AppData\Local\Temp\CabD164.tmp
Microsoft Cabinet archive data, 59134 bytes, 1 file
dropped
 clean
C:\Users\user\AppData\Local\Temp\TarD165.tmp
data
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint_Letter_1186814227-02192021.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Tue Feb 23 23:16:35 2021, atime=Tue Feb 23 23:16:35 2021, length=57856, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 23:16:35 2021, atime=Tue Feb 23 23:16:35 2021, length=8192, window=hide
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
 clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\05Q27A4H.txt
ASCII text
downloaded
 clean
C:\Users\user\Desktop\72CE0000
Applesoft BASIC program data, first line number 16
dropped
 clean
There are 4 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\KLSD.ggsso,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\KLSD.ggsso1,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\KLSD.ggsso2,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\KLSD.ggsso3,DllRegisterServer
 malicious
C:\Windows\System32\rundll32.exe
rundll32 ..\KLSD.ggsso4,DllRegisterServer
 malicious

URLs

Name
IP
Malicious
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
unknown
 clean
http://www.windows.com/pctv.
unknown
 clean
http://jayshreewoods.com/gvazzbwlvyk/44250678185879600000.dat
13.126.100.34
 clean
http://investor.msn.com
unknown
 clean
http://www.msnbc.com/news/ticker.txt
unknown
 clean
http://sportsmarquee.com/hmffuzbolyio/44250678185879600000.dat
70.32.104.19
 clean
http://www.icra.org/vocabulary/.
unknown
 clean
http://windowsmedia.com/redir/services.asp?WMPFriendly=true
unknown
 clean
http://www.hotmail.com/oe
unknown
 clean
http://investor.msn.com/
unknown
 clean
http://raivens.com/zdmqwymhhza/44250678185879600000.dat
159.89.174.35
 clean
http://erp.demosoftware.biz/focahjqevd/44250678185879600000.dat
58.96.102.67
 clean
There are 2 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
parama-college.id
203.142.76.236
 clean
erp.demosoftware.biz
58.96.102.67
 clean
sportsmarquee.com
70.32.104.19
 clean
raivens.com
159.89.174.35
 clean
jayshreewoods.com
13.126.100.34
 clean

IPs

IP
Domain
Country
Active
Malicious
13.126.100.34
unknown
United States
unknown
 clean
159.89.174.35
unknown
United States
unknown
 clean
58.96.102.67
unknown
Australia
unknown
 clean
203.142.76.236
unknown
Indonesia
unknown
 clean
70.32.104.19
unknown
United States
unknown
 clean

Registry

Path
Value
Malicious
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
e~6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
MTTT
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ReviewToken
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EBE40
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
VBAFiles
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DefaultSheetR2L
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
UseSystemSeparators
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
ThousandsSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
DecimalSeparator
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 2
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 3
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 4
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 5
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 6
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 7
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 8
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 9
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 10
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 11
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 12
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 13
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 14
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 15
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 16
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 17
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 18
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 19
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 20
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC081
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
EC14C
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Max Display
 clean
C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Item 1
 clean