IOC Report

loading gif

Files

File Path
Type
Category
Malicious
dngqoAXyDd.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies.bak
SQLite 3.x database, last written using SQLite version 3035005
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History.bak
SQLite 3.x database, last written using SQLite version 3035005
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak
SQLite 3.x database, last written using SQLite version 3035005
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bak
SQLite 3.x database, last written using SQLite version 3035005
dropped
malicious
C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State.bak
ASCII text, with very long lines, with no line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\dngqoAXyDd.exe
"C:\Users\user\Desktop\dngqoAXyDd.exe"
malicious
C:\Windows\System32\wermgr.exe
C:\Windows\system32\wermgr.exe
malicious
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
malicious
C:\Windows\System32\cmd.exe
C:\Windows\system32\cmd.exe
clean
C:\Windows\System32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\GNU-Rach-559H\cmdrun.bat"
clean
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/user/user/0/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/23/100019/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/file/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/VERS//
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/0/Windows%2010%20x64/1108/102.129.143.91/6760749C3E0F3C8028653796E6C431FC062A0AA0107C34B734353BDE5C7824FB/K4eaS6gi8qoueakyUIyY/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/path/C:%5CUsers%5Cuser%5CAppData%5CRoaming%5CGNU-Rach-559H%5CdngqoAXyDd.exe/0/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/
46.99.175.217
malicious
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//
46.99.175.217
malicious
https://duckduckgo.com/chrome_newtab
unknown
clean
https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
unknown
clean
https://duckduckgo.com/ac/?q=
unknown
clean
https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
unknown
clean
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/14/NAT%20status/clien
unknown
clean
https://packetstormsecurity.com/files/download/22459/BIOS320.EXEDownload:
unknown
clean
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/t
unknown
clean
http://110.38.58.198:443
unknown
clean
http://103.111.83.86:443
unknown
clean
https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
unknown
clean
https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
unknown
clean
http://27.109.116.144:443
unknown
clean
https://www.google.com/search?q=java
unknown
clean
https://24.45.255.9/
unknown
clean
http://116.206.62.138:443
unknown
clean
http://ip.anysrc.net/
unknown
clean
https://24.45.255.9:443/login.cgi?uri=/index.html#
unknown
clean
https://play.google.com/store/apps/details?id=com.ubnt.umobile
unknown
clean
http://186.96.153.223:443
unknown
clean
https://46.99.175.217/
unknown
clean
http://138.94.162.29:443
unknown
clean
https://46.99.175.217/rovider
unknown
clean
https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
unknown
clean
https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
unknown
clean
https://office.com/setup
unknown
clean
https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.htmlBios320.Exe
unknown
clean
http://45.115.174.234:443
unknown
clean
https://46.99.175.217:443/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/dpost/
unknown
clean
https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
unknown
clean
https://202.58.199.82/roviderg/
unknown
clean
http://139.255.41.122:443
unknown
clean
https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
unknown
clean
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/10/62/LDBHBJFHFNV/1/g
unknown
clean
https://setup.office.com/?ms.officeurl=setup
unknown
clean
http://36.95.73.109:443
unknown
clean
https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabb64/
202.58.199.82
clean
https://aka.office.com/office/url/setupMicrosoft
unknown
clean
https://recoveringlib.blogspot.com/2015/04/bios320exe-64-bit.html
unknown
clean
https://24.45.255.9/login.cgi?uri=/index.html
24.45.255.9
clean
https://aka.office.com/office/url/setup
unknown
clean
https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
unknown
clean
https://windows-drivers-x04.blogspot.com/2013/06/bios320exe-64-bit-download.htmlBios320.Exe
unknown
clean
https://www.google.com/search?q=autoit
unknown
clean
https://46.99.175.217/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/64/pwgrabb/DEBG//0u0u
unknown
clean
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
unknown
clean
https://setup.office.com/?ms.officeurl=setupMicrosoft
unknown
clean
https://202.58.199.82/top147/061544_W10019042.34ED337BB336C4191A537F33B775D9BB/5/pwgrabc64/
202.58.199.82
clean