IOCReport

loading gif

Files

File Path
Type
Category
Malicious
PL_503_13_570.docx
Microsoft Word 2007+
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Sugvt[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Temp\toqqx.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notpad\notpad.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\toqqx.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\ProgramData\826308279625120\temp
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\ProgramData\843743064682002\_8437430646.zip
Zip archive data, at least v2.0 to extract
dropped
clean
C:\ProgramData\843743064682002\cookies\Google Chrome_Default.txt
ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\843743064682002\cookies\Mozilla Firefox_7xwghk55.default.txt
ASCII text, with very long lines, with CRLF line terminators
dropped
clean
C:\ProgramData\843743064682002\screenshot.jpg
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
dropped
clean
C:\ProgramData\843743064682002\system.txt
ASCII text, with CRLF line terminators
dropped
clean
C:\ProgramData\843743064682002\temp
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\ProgramData\freebl3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\mozglue.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\msvcp140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\nss3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\softokn3.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\sqlite3.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\ProgramData\vcruntime140.dll
PE32 executable (DLL) (console) Intel 80386, for MS Windows
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C112D4.png
PNG image data, 288 x 424, 8-bit/color RGBA, non-interlaced
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4C77723-97C0-4A14-814E-1968BCE52029}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{FDB545E2-A1F4-4D0B-BC71-CA4D3862B689}.tmp
Targa image data - RLE 65536 x 65536 x 0 ""
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PL_503_13_570.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Wed May 5 03:33:33 2021, length=96745, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
dropped
clean
C:\Users\user\Desktop\~$_503_13_570.docx
data
dropped
clean
There are 16 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
malicious
C:\Users\user\toqqx.exe
C:\Users\user\toqqx.exe
malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
malicious
C:\Users\user\toqqx.exe
C:\Users\user\toqqx.exe
malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
malicious
C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
malicious
C:\Users\user\AppData\Local\Temp\toqqx.exe
C:\Users\user\AppData\Local\Temp\toqqx.exe
malicious
C:\Users\user\AppData\Local\Temp\toqqx.exe
C:\Users\user\AppData\Local\Temp\toqqx.exe
malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
clean
C:\Windows\SysWOW64\cmd.exe
'C:\Windows\System32\cmd.exe' /c taskkill /pid 2540 & erase C:\Users\user\AppData\Local\Temp\toqqx.exe & RD /S /Q C:\\ProgramData\\843743064682002\\* & exit
clean
C:\Windows\SysWOW64\taskkill.exe
taskkill /pid 2540
clean
There are 2 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://198.98.60.43/6.jpg
198.98.60.43
malicious
http://198.98.60.43/main.php
198.98.60.43
malicious