Analysis Overview
SHA256
30e225c474caca0c8a3946a303d4b8a6c0bdb5bb0d4a55c9c9944ac4c7cdddd4
Threat Level: Known bad
The file DETAILS_8352154452_1.xls was found to be: Known bad.
Malicious Activity Summary
Emotet
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Process spawned unexpected child process
Downloads MZ/PE file
Suspicious Office macro
Loads dropped DLL
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Gathers network information
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Modifies registry class
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-13 11:12
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-13 11:12
Reported
2022-07-13 11:15
Platform
win7-20220414-en
Max time kernel
184s
Max time network
199s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
C:\Windows\system32\regsvr32.exe
/S ..\soci2.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BCGhxC\uXKOKHCxMLKp.dll"
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
C:\Windows\system32\regsvr32.exe
/S ..\soci4.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SoWRTqqVDOTMgpA\QTuKnnlH.dll"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\nltest.exe
nltest /dclist:
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cointrade.world | udp |
| IN | 36.255.3.209:443 | cointrade.world | tcp |
| US | 8.8.8.8:53 | www.garantihaliyikama.com | udp |
| TR | 213.128.75.146:80 | www.garantihaliyikama.com | tcp |
| US | 8.8.8.8:53 | haircutbar.com | udp |
| US | 198.98.48.208:80 | haircutbar.com | tcp |
| US | 8.8.8.8:53 | airhobi.com | udp |
| TR | 193.53.245.52:80 | airhobi.com | tcp |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| FR | 188.165.79.151:443 | 188.165.79.151 | tcp |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| ID | 203.217.140.239:8080 | 203.217.140.239 | tcp |
Files
memory/1464-54-0x000000002FF01000-0x000000002FF04000-memory.dmp
memory/1464-55-0x0000000070E01000-0x0000000070E03000-memory.dmp
memory/1464-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1464-57-0x0000000071DED000-0x0000000071DF8000-memory.dmp
memory/1464-58-0x0000000075501000-0x0000000075503000-memory.dmp
memory/1464-59-0x0000000071DED000-0x0000000071DF8000-memory.dmp
memory/588-60-0x0000000000000000-mapping.dmp
memory/1504-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci2.ocx
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
\Users\Admin\soci2.ocx
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
memory/1440-66-0x0000000000000000-mapping.dmp
memory/1440-67-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
\Users\Admin\soci2.ocx
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
memory/1440-69-0x0000000001DB0000-0x0000000001E0E000-memory.dmp
memory/1876-73-0x0000000000000000-mapping.dmp
memory/1392-79-0x0000000000000000-mapping.dmp
memory/1408-81-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci4.ocx
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
\Users\Admin\soci4.ocx
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
memory/1624-85-0x0000000000000000-mapping.dmp
\Users\Admin\soci4.ocx
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 589c442fc7a0c70dca927115a700d41e |
| SHA1 | 66a07dace3afbfd1aa07a47e6875beab62c4bb31 |
| SHA256 | 2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a |
| SHA512 | 1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7377688808f7f2453721176f7c9174fc |
| SHA1 | c00c854952d2f5410ba749aeece73bf827368df4 |
| SHA256 | 995944245b57bd623ef8da87beaca5022d8582611127296d00937fd52f1ee3d5 |
| SHA512 | 66ff94e247b10aba51c9f94bca5e63de4b6bfb628f98a0562cb413a1b2a2d1dcd05183f159016555561aa199189cf52a82cde017704004fe01c424ddb19b0409 |
memory/1280-94-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e76f04b46dad720a948940d1815a045 |
| SHA1 | c3b9d8b57d1348a2dc9b545578536d16cb9b79d5 |
| SHA256 | 3aea9cd9831a2dade0ed7dd68a6297c7594088b4574eb749736698111a2eb86b |
| SHA512 | 45c716fc299785f8aed7fa9c6e500cfaca7ab8d12e5611077fec58c027873040a42f49a34c3e550f94976dea4664442b222f9da32b5c8eb1219ab14d083b9e4a |
memory/1280-101-0x00000000024F0000-0x0000000002513000-memory.dmp
memory/1936-102-0x0000000000000000-mapping.dmp
memory/608-103-0x0000000000000000-mapping.dmp
memory/428-104-0x0000000000000000-mapping.dmp
memory/1280-105-0x00000000024F0000-0x0000000002513000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-13 11:12
Reported
2022-07-13 11:15
Platform
win10v2004-20220414-en
Max time kernel
153s
Max time network
173s
Command Line
Signatures
Emotet
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\System32\regsvr32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
suricata: ET MALWARE W32/Emotet CnC Beacon 3
Downloads MZ/PE file
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\System32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\DETAILS_8352154452_1.xls"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci1.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DzEab\YXKrWYWkBKlKe.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci2.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UAEXcmIhUfT\fBddfxltlQzXxV.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci3.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HbeWy\VNCZIWyKC.dll"
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\soci4.ocx
C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FAQnAL\CECcH.dll"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\nltest.exe
nltest /dclist:
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.73:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 20.50.201.200:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | cointrade.world | udp |
| IN | 36.255.3.209:443 | cointrade.world | tcp |
| US | 8.8.8.8:53 | ocsp.starfieldtech.com | udp |
| US | 192.124.249.24:80 | ocsp.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | www.garantihaliyikama.com | udp |
| TR | 213.128.75.146:80 | www.garantihaliyikama.com | tcp |
| NL | 20.190.160.67:443 | tcp | |
| US | 8.8.8.8:53 | haircutbar.com | udp |
| US | 198.98.48.208:80 | haircutbar.com | tcp |
| US | 8.8.8.8:53 | airhobi.com | udp |
| TR | 193.53.245.52:80 | airhobi.com | tcp |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| US | 174.138.33.49:7080 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| US | 174.138.33.49:7080 | tcp | |
| US | 174.138.33.49:7080 | 174.138.33.49 | tcp |
| NL | 20.190.160.136:443 | tcp | |
| FR | 188.165.79.151:443 | 188.165.79.151 | tcp |
| FR | 188.165.79.151:443 | 188.165.79.151 | tcp |
| FR | 188.165.79.151:443 | 188.165.79.151 | tcp |
| FR | 188.165.79.151:443 | 188.165.79.151 | tcp |
| AU | 58.96.74.42:443 | tcp | |
| DE | 165.227.153.100:8080 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| NL | 20.190.160.6:443 | tcp | |
| US | 159.65.163.220:443 | tcp |
Files
memory/5112-130-0x00007FFE32050000-0x00007FFE32060000-memory.dmp
memory/5112-131-0x00007FFE32050000-0x00007FFE32060000-memory.dmp
memory/5112-132-0x00007FFE32050000-0x00007FFE32060000-memory.dmp
memory/5112-133-0x00007FFE32050000-0x00007FFE32060000-memory.dmp
memory/5112-134-0x00007FFE32050000-0x00007FFE32060000-memory.dmp
memory/5112-135-0x00007FFE2FE50000-0x00007FFE2FE60000-memory.dmp
memory/5112-136-0x00007FFE2FE50000-0x00007FFE2FE60000-memory.dmp
memory/4464-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci1.ocx
| MD5 | 428084ddd7fda274784813193441f113 |
| SHA1 | fca2693e5243ba87f28793b3860db62c72a551df |
| SHA256 | d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf |
| SHA512 | e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9 |
C:\Users\Admin\soci1.ocx
| MD5 | 428084ddd7fda274784813193441f113 |
| SHA1 | fca2693e5243ba87f28793b3860db62c72a551df |
| SHA256 | d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf |
| SHA512 | e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9 |
memory/4464-140-0x00000000012C0000-0x000000000131E000-memory.dmp
memory/1540-144-0x0000000000000000-mapping.dmp
C:\Windows\System32\DzEab\YXKrWYWkBKlKe.dll
| MD5 | 428084ddd7fda274784813193441f113 |
| SHA1 | fca2693e5243ba87f28793b3860db62c72a551df |
| SHA256 | d8011fc70a6c2d38b12db01fbed264e8372f3ca6ccf0d9ee282ce095cc0c0cbf |
| SHA512 | e9c78c723938083b8849932d371966255b8f9adb88f0fff5739085e791a36f276a905a6a43faf1b185ab4b57cb8cea0cd6fb7b9e57677c35238853eab81acfa9 |
memory/3344-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci2.ocx
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
C:\Users\Admin\soci2.ocx
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
memory/228-157-0x0000000000000000-mapping.dmp
C:\Windows\System32\UAEXcmIhUfT\fBddfxltlQzXxV.dll
| MD5 | 9551efaddbb1c08372ab3e202f251998 |
| SHA1 | 1b08133497b3198c1766a6ebb6cc45984a2df9f0 |
| SHA256 | eae2a235a46fbadb71ccea8d47a795833a134742704cb6b1dfc6e934d8aa371f |
| SHA512 | a803dc23cf1ed1d1659373f9e5b0aa5113b0ac9596482b80c91cb8a2a0fb7acae05bb634898645a796ec53315a39322cdc9733090624134e90e3d5a40d9ba7f9 |
memory/1708-163-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci3.ocx
| MD5 | 1c78d36579cb819a53deedea4ac9f8dd |
| SHA1 | cbfac4c0a62dabf354d01edbb02c25c3b88f604c |
| SHA256 | 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65 |
| SHA512 | 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c |
C:\Users\Admin\soci3.ocx
| MD5 | 1c78d36579cb819a53deedea4ac9f8dd |
| SHA1 | cbfac4c0a62dabf354d01edbb02c25c3b88f604c |
| SHA256 | 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65 |
| SHA512 | 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c |
memory/1776-170-0x0000000000000000-mapping.dmp
C:\Windows\System32\HbeWy\VNCZIWyKC.dll
| MD5 | 1c78d36579cb819a53deedea4ac9f8dd |
| SHA1 | cbfac4c0a62dabf354d01edbb02c25c3b88f604c |
| SHA256 | 22c38fda96321b16ea796ed18f03625bbba4b7ffb5b7495f5c893768c6349f65 |
| SHA512 | 2e12abd2f824fca5e3c4bf9b090df839e2f76154b616c365959e4e63186308b571150a792205ab24b014e964c2451be5dc47afbfe81cef5cf1cd188c8cb4057c |
memory/2500-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\soci4.ocx
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
C:\Users\Admin\soci4.ocx
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
memory/1588-183-0x0000000000000000-mapping.dmp
C:\Windows\System32\FAQnAL\CECcH.dll
| MD5 | 615f4fc0eb24ecb044f532a4c1cf20e1 |
| SHA1 | 738f9243e0b115a51826820c0ed92040b64615c5 |
| SHA256 | b1704fff5112536cfb3a23b7f0ae3922a1418b2e3ca56340ca5537f08b7be7b6 |
| SHA512 | 776153b81aff092bdaff76332f8f0d4d9df175b80df8eaf80dac96fa192898256533ba589354b06c21881f0c45b0cf3b2ef1aeb0a0cc35bc3fc8105a8022c822 |
memory/3508-189-0x0000000000000000-mapping.dmp
memory/1540-190-0x00000000034F0000-0x0000000003513000-memory.dmp
memory/4212-191-0x0000000000000000-mapping.dmp
memory/2184-192-0x0000000000000000-mapping.dmp