Malware Analysis Report

2025-08-05 21:39

Sample ID 221110-mw6a3ahbf8
Target MES_498.xls
SHA256 271d33b512c4ee37e4838eb1d7393de085e387b20d493304eb356bfa60b24e63
Tags
macro xlm emotet epoch5 banker trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

271d33b512c4ee37e4838eb1d7393de085e387b20d493304eb356bfa60b24e63

Threat Level: Known bad

The file MES_498.xls was found to be: Known bad.

Malicious Activity Summary

macro xlm emotet epoch5 banker trojan persistence

Emotet

Process spawned unexpected child process

Downloads MZ/PE file

Suspicious Office macro

Loads dropped DLL

Adds Run key to start application

Modifies registry class

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 10:49

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 10:49

Reported

2022-11-10 10:52

Platform

win7-20220812-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\MES_498.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1100 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1100 wrote to memory of 1536 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1536 wrote to memory of 1672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1536 wrote to memory of 1672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1536 wrote to memory of 1672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1536 wrote to memory of 1672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1536 wrote to memory of 1672 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1012 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1012 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1012 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1012 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1012 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1012 wrote to memory of 1400 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1196 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1764 wrote to memory of 1872 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\MES_498.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DaeUjcPJClaxpp\Aehjhh.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

/S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JEXrEFCUAz\KLfnggLUg.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 bosny.com udp
TH 203.151.59.20:443 bosny.com tcp
US 8.8.8.8:53 navylin.com udp
CN 47.92.133.65:80 navylin.com tcp
ID 115.178.55.22:80 tcp
ID 115.178.55.22:80 tcp
US 8.8.8.8:53 asrani.garudaputih.com udp
SG 51.79.133.157:80 asrani.garudaputih.com tcp
US 8.8.8.8:53 db.rikaz.tech udp
DE 135.125.230.197:80 db.rikaz.tech tcp
SG 172.105.115.71:8080 tcp
SG 172.105.115.71:8080 tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp
IN 103.71.99.57:8080 tcp
DE 85.214.67.203:8080 tcp
ID 115.178.55.22:80 tcp
ID 115.178.55.22:80 tcp
FR 85.25.120.45:8080 tcp
SG 172.105.115.71:8080 tcp
SG 172.105.115.71:8080 tcp
KR 218.38.121.17:443 tcp
KR 218.38.121.17:443 tcp
CN 139.196.72.155:8080 tcp
BR 186.250.48.5:443 tcp
BR 186.250.48.5:443 tcp

Files

memory/1764-54-0x000000002FA91000-0x000000002FA94000-memory.dmp

memory/1764-55-0x0000000070F71000-0x0000000070F73000-memory.dmp

memory/1764-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1764-57-0x0000000071F5D000-0x0000000071F68000-memory.dmp

memory/1764-58-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

memory/1764-59-0x0000000071F5D000-0x0000000071F68000-memory.dmp

memory/1100-60-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

memory/1536-64-0x0000000000000000-mapping.dmp

memory/1536-65-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

memory/1536-67-0x00000000002F0000-0x000000000031E000-memory.dmp

memory/1672-70-0x0000000000000000-mapping.dmp

memory/1120-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 64ef5cf1771ab08a49f3d94a54c55719
SHA1 e25c8f5afb72302f27bfbbc7cc71f8b792ecf27f
SHA256 35176c03296bdc5b1e485185858246f417ebf474b1c0ad7b55b3fd88630deced
SHA512 5c0cedf9da6fd9bbadfb0c15215a64d8617d588a08d075e5b7458f70fa76c9ce4377a681f04d75ee5705e1aff75d9f6d5277148a06f88e65b67300b04d293859

memory/1012-79-0x0000000000000000-mapping.dmp

\Users\Admin\elv2.ooocccxxx

MD5 64ef5cf1771ab08a49f3d94a54c55719
SHA1 e25c8f5afb72302f27bfbbc7cc71f8b792ecf27f
SHA256 35176c03296bdc5b1e485185858246f417ebf474b1c0ad7b55b3fd88630deced
SHA512 5c0cedf9da6fd9bbadfb0c15215a64d8617d588a08d075e5b7458f70fa76c9ce4377a681f04d75ee5705e1aff75d9f6d5277148a06f88e65b67300b04d293859

\Users\Admin\elv2.ooocccxxx

MD5 64ef5cf1771ab08a49f3d94a54c55719
SHA1 e25c8f5afb72302f27bfbbc7cc71f8b792ecf27f
SHA256 35176c03296bdc5b1e485185858246f417ebf474b1c0ad7b55b3fd88630deced
SHA512 5c0cedf9da6fd9bbadfb0c15215a64d8617d588a08d075e5b7458f70fa76c9ce4377a681f04d75ee5705e1aff75d9f6d5277148a06f88e65b67300b04d293859

memory/1400-85-0x0000000000000000-mapping.dmp

memory/1196-90-0x0000000000000000-mapping.dmp

memory/1872-92-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 10:49

Reported

2022-11-10 10:52

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MES_498.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ymfYEVj.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\XVTKHkfYFrcaBOHaO\\ymfYEVj.dll\"" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xMzy.dll = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\CINyW\\xMzy.dll\"" C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4260 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4532 wrote to memory of 4260 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4260 wrote to memory of 1648 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4260 wrote to memory of 1648 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4532 wrote to memory of 3640 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4532 wrote to memory of 3640 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 3640 wrote to memory of 5028 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3640 wrote to memory of 5028 N/A C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4532 wrote to memory of 4608 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4532 wrote to memory of 4608 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4532 wrote to memory of 2844 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe
PID 4532 wrote to memory of 2844 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\System32\regsvr32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\MES_498.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\XVTKHkfYFrcaBOHaO\ymfYEVj.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CINyW\xMzy.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx

Network

Country Destination Domain Proto
US 8.8.8.8:53 bosny.com udp
TH 203.151.59.20:443 bosny.com tcp
US 8.8.8.8:53 navylin.com udp
CN 47.92.133.65:80 navylin.com tcp
US 52.182.143.210:443 tcp
ID 115.178.55.22:80 115.178.55.22 tcp
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp
US 8.8.8.8:53 asrani.garudaputih.com udp
SG 51.79.133.157:80 asrani.garudaputih.com tcp
US 8.8.8.8:53 db.rikaz.tech udp
DE 135.125.230.197:80 db.rikaz.tech tcp
ID 115.178.55.22:80 115.178.55.22 tcp

Files

memory/4532-132-0x00007FF8E3A30000-0x00007FF8E3A40000-memory.dmp

memory/4532-133-0x00007FF8E3A30000-0x00007FF8E3A40000-memory.dmp

memory/4532-134-0x00007FF8E3A30000-0x00007FF8E3A40000-memory.dmp

memory/4532-135-0x00007FF8E3A30000-0x00007FF8E3A40000-memory.dmp

memory/4532-136-0x00007FF8E3A30000-0x00007FF8E3A40000-memory.dmp

memory/4532-137-0x00007FF8E1100000-0x00007FF8E1110000-memory.dmp

memory/4532-138-0x00007FF8E1100000-0x00007FF8E1110000-memory.dmp

memory/4260-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

C:\Users\Admin\elv1.ooocccxxx

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

memory/4260-142-0x0000000001EC0000-0x0000000001EEE000-memory.dmp

memory/1648-145-0x0000000000000000-mapping.dmp

C:\Windows\System32\XVTKHkfYFrcaBOHaO\ymfYEVj.dll

MD5 83b59fb810300c2dbddf3f7d739d25a4
SHA1 aa67e33414d97d297a3b86871dd6a9275fdb71d1
SHA256 6b2be1e6753c8b1d69abec430562268775c00784b0a2f4cf2c5e499f98a7bfdf
SHA512 c32ee574b86086d986b7177bbc011da11ad647ca8e3edbb76a6901a92fbc197d987f63b45c923aa273023ff070548caf712578e26a84f85c2eeea781ca55661a

memory/3640-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\elv2.ooocccxxx

MD5 2921d0c367a6afd07fa379d54dbb3b3d
SHA1 93663425207efad8008cc2a96000ebb312afc84b
SHA256 048cacc4532a828d51457fad7f5171a2605d69289783b21c257cde00eb2be455
SHA512 f737650b7329711d1ec39971d9573fd5b178723dfc12ac7c2c03fa75cb3f19573fedc12135070333cb463b0b438ec705d2d4ec0314ded37bd43c94dd65509ff3

C:\Users\Admin\elv2.ooocccxxx

MD5 2921d0c367a6afd07fa379d54dbb3b3d
SHA1 93663425207efad8008cc2a96000ebb312afc84b
SHA256 048cacc4532a828d51457fad7f5171a2605d69289783b21c257cde00eb2be455
SHA512 f737650b7329711d1ec39971d9573fd5b178723dfc12ac7c2c03fa75cb3f19573fedc12135070333cb463b0b438ec705d2d4ec0314ded37bd43c94dd65509ff3

memory/5028-156-0x0000000000000000-mapping.dmp

C:\Windows\System32\CINyW\xMzy.dll

MD5 2921d0c367a6afd07fa379d54dbb3b3d
SHA1 93663425207efad8008cc2a96000ebb312afc84b
SHA256 048cacc4532a828d51457fad7f5171a2605d69289783b21c257cde00eb2be455
SHA512 f737650b7329711d1ec39971d9573fd5b178723dfc12ac7c2c03fa75cb3f19573fedc12135070333cb463b0b438ec705d2d4ec0314ded37bd43c94dd65509ff3

memory/4608-161-0x0000000000000000-mapping.dmp

memory/2844-162-0x0000000000000000-mapping.dmp