Malware Analysis Report

2025-08-11 01:42

Sample ID 221109-162yaaedbr
Target 408372.xls
SHA256 1ee7b704748ac97fec5cac6b14feb616aa08a607af15ec2e23dfe4a49e885077
Tags
emotet epoch5 banker persistence trojan macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ee7b704748ac97fec5cac6b14feb616aa08a607af15ec2e23dfe4a49e885077

Threat Level: Known bad

The file 408372.xls was found to be: Known bad.

Malicious Activity Summary

emotet epoch5 banker persistence trojan macro xlm

Emotet

Process spawned unexpected child process

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Adds Run key to start application

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-09 22:16

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-09 22:16

Reported

2022-11-09 22:19

Platform

win10v2004-20220812-en

Max time kernel

171s

Max time network

188s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\408372.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yVllhaMcX.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\EbadT\\yVllhaMcX.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NtHfMgjeE.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\KVJpVbrwvrY\\NtHfMgjeE.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 1412 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4784 wrote to memory of 1412 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 1412 wrote to memory of 1240 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1412 wrote to memory of 1240 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4784 wrote to memory of 3196 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4784 wrote to memory of 3196 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4784 wrote to memory of 4496 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4784 wrote to memory of 4496 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4496 wrote to memory of 2744 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4496 wrote to memory of 2744 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4784 wrote to memory of 2704 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4784 wrote to memory of 2704 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\408372.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KVJpVbrwvrY\NtHfMgjeE.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RXeKoxvKAIs\tGvSlTjZVbxuKOUs.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EbadT\yVllhaMcX.dll"

Network

Country Destination Domain Proto
US 52.109.13.64:443 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 20.189.173.13:443 tcp
US 8.8.8.8:53 fixoutlet.com udp
NL 141.138.168.119:80 fixoutlet.com tcp
US 8.8.8.8:53 www.cesasin.com.ar udp
AR 179.43.117.122:80 www.cesasin.com.ar tcp
US 8.8.8.8:53 blacktequila.com.br udp
US 192.169.82.54:80 blacktequila.com.br tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
KR 218.38.121.17:443 218.38.121.17 tcp
US 8.8.8.8:53 case.co.il udp
IL 185.18.204.26:80 case.co.il tcp
US 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
KR 218.38.121.17:443 218.38.121.17 tcp
KR 218.38.121.17:443 218.38.121.17 tcp
BR 186.250.48.5:443 186.250.48.5 tcp
IT 80.211.107.116:8080 80.211.107.116 tcp
US 174.138.33.49:7080 174.138.33.49 tcp
SG 165.22.254.236:8080 tcp
DE 185.148.169.10:8080 tcp
DE 62.171.178.147:8080 tcp
SG 128.199.217.206:443 tcp
ID 210.57.209.142:8080 tcp

Files

memory/4784-132-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-133-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-134-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-135-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-136-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-137-0x00007FF93F700000-0x00007FF93F710000-memory.dmp

memory/4784-138-0x00007FF93F700000-0x00007FF93F710000-memory.dmp

memory/1412-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

C:\Users\Admin\elv1.ooocccxxx

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

memory/1412-142-0x00000000027B0000-0x00000000027E0000-memory.dmp

memory/1240-145-0x0000000000000000-mapping.dmp

C:\Windows\System32\KVJpVbrwvrY\NtHfMgjeE.dll

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

memory/3196-150-0x0000000000000000-mapping.dmp

memory/4496-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

C:\Users\Admin\elv3.ooocccxxx

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

memory/2744-157-0x0000000000000000-mapping.dmp

C:\Windows\System32\RXeKoxvKAIs\tGvSlTjZVbxuKOUs.dll

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

memory/2704-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

C:\Users\Admin\elv4.ooocccxxx

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

memory/3056-168-0x0000000000000000-mapping.dmp

C:\Windows\System32\EbadT\yVllhaMcX.dll

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

memory/4784-174-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-175-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-176-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

memory/4784-177-0x00007FF941D50000-0x00007FF941D60000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-09 22:16

Reported

2022-11-09 22:19

Platform

win7-20220812-en

Max time kernel

151s

Max time network

189s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\408372.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 904 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 904 wrote to memory of 624 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 624 wrote to memory of 1972 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 744 wrote to memory of 1556 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 1520 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 1520 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 1520 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 1520 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1556 wrote to memory of 1520 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1140 wrote to memory of 760 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 760 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 760 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 760 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 760 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 760 wrote to memory of 1628 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1996 wrote to memory of 1588 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\408372.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZjZqBZHdEcGXsIRxR\RawXiWenv.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PmiVbmRbuta\TjYFujrobTE.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv3.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QpzCGhGy\UqRCRGX.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv4.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\TNBRerGgHW\CrKWkkZAMhsHkYT.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fixoutlet.com udp
NL 141.138.168.119:80 fixoutlet.com tcp
US 8.8.8.8:53 www.cesasin.com.ar udp
AR 179.43.117.122:80 www.cesasin.com.ar tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
IT 80.211.107.116:8080 tcp
IT 80.211.107.116:8080 tcp
US 174.138.33.49:7080 tcp
US 174.138.33.49:7080 tcp
US 8.8.8.8:53 blacktequila.com.br udp
US 192.169.82.54:80 blacktequila.com.br tcp
SG 165.22.254.236:8080 tcp
DE 185.148.169.10:8080 tcp
DE 62.171.178.147:8080 tcp
US 8.8.8.8:53 case.co.il udp
IL 185.18.204.26:80 case.co.il tcp
SG 128.199.217.206:443 tcp
ID 210.57.209.142:8080 tcp
KR 218.38.121.17:443 tcp
ID 36.67.23.59:443 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
JP 160.16.143.191:8080 tcp
BR 186.250.48.5:443 tcp

Files

memory/1996-54-0x000000002F2C1000-0x000000002F2C4000-memory.dmp

memory/1996-55-0x0000000071A71000-0x0000000071A73000-memory.dmp

memory/1996-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1996-57-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1996-58-0x0000000072A5D000-0x0000000072A68000-memory.dmp

memory/904-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

\Users\Admin\elv1.ooocccxxx

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

memory/624-63-0x0000000000000000-mapping.dmp

memory/624-64-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 4a5ab9863715d0778c91040cb2a9c3a8
SHA1 30dfa658ab6895c002c102c2b3009321beb37c5a
SHA256 c6cd574ddef31474f34b8a2d921d3c5ebe1b59cd69b16b573e9430cbd613599b
SHA512 5e422a91ba8dd43b37f36ac888a54617353c0eef89ba0dbc53e27ba8eefde435b21f2c6a6dcd552e92b3d8c2204f8991fa719d313eaa882575e891c32c5314c1

memory/624-66-0x0000000000170000-0x00000000001A0000-memory.dmp

memory/1972-69-0x0000000000000000-mapping.dmp

memory/1996-74-0x0000000072A5D000-0x0000000072A68000-memory.dmp

memory/744-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 9bc23165d29537bd71402d3d62e58917
SHA1 09144b3178d0a4d06163b592d2a4833a8e81944e
SHA256 1f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512 a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123

memory/1556-79-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 9bc23165d29537bd71402d3d62e58917
SHA1 09144b3178d0a4d06163b592d2a4833a8e81944e
SHA256 1f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512 a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123

\Users\Admin\elv2.ooocccxxx

MD5 9bc23165d29537bd71402d3d62e58917
SHA1 09144b3178d0a4d06163b592d2a4833a8e81944e
SHA256 1f655e334471ef833f1b6507e2fe921b450877751d46636084818800bc884f79
SHA512 a55b644644e5e31e55357a55266ba72431721a76a4e6e5bc86b93d3fe90b62a14cdab7b27b04b945cab1bc0de87ae2a92a403e74833a2ea26332d5edc29c5123

memory/1520-85-0x0000000000000000-mapping.dmp

memory/1140-90-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv3.ooocccxxx

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

\Users\Admin\elv3.ooocccxxx

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

memory/760-94-0x0000000000000000-mapping.dmp

\Users\Admin\elv3.ooocccxxx

MD5 2f6b66b556069272ad46a89b57863c22
SHA1 45d5d758c10d88b504b25c9cb17b5328735ff652
SHA256 7d5d2efe757a466425b4a8b21af0724b4e27ff66c7e9d91adc0011d790b88fa0
SHA512 6630149d60428885c2508a4adec47151487b7f605a8cdca9ccb327d4f3654f48edb07d1c3cca5c42855b5a964061ecb4af8d9435f3c3d6b5ac7840ac3b5248e0

memory/1628-100-0x0000000000000000-mapping.dmp

memory/1588-105-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv4.ooocccxxx

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

memory/1604-109-0x0000000000000000-mapping.dmp

\Users\Admin\elv4.ooocccxxx

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

\Users\Admin\elv4.ooocccxxx

MD5 7b9c0fd9bce02dced8d5d8834d8cf56a
SHA1 22e4690dcfca530e96b8f9286023d711fece52e4
SHA256 48145affe2d4ce3243e6d157c7af448c04b98a4042b1a91fd04e0363d4f706b2
SHA512 635bc6a4df0dc14ad4b3abedcfc0bb8ae17ce8ff270a6fb7a3d1cb9477920fdb4fc3d3ff3ebdcb9f0e9c60d6ae1a79e43728f08d7ea7fd6ab7466967321167bb

memory/1712-115-0x0000000000000000-mapping.dmp

memory/1996-120-0x000000006CDA1000-0x000000006CDA3000-memory.dmp