Malware Analysis Report

2025-03-15 07:04

Sample ID 230415-s6gcksgb7v
Target ae72f6016f8929c7780693cadfb855ef.xlsx
SHA256 9f8b5f5da718fafb98de9b2128cd81fd720a37de6c755b81965ead358aeb912a
Tags
emotet epoch4 banker trojan macro xlm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f8b5f5da718fafb98de9b2128cd81fd720a37de6c755b81965ead358aeb912a

Threat Level: Known bad

The file ae72f6016f8929c7780693cadfb855ef.xlsx was found to be: Known bad.

Malicious Activity Summary

emotet epoch4 banker trojan macro xlm

Process spawned unexpected child process

Emotet

Suspicious Office macro

Downloads MZ/PE file

Loads dropped DLL

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Modifies Internet Explorer settings

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-15 15:44

Signatures

Suspicious Office macro

macro xlm
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-15 15:44

Reported

2023-04-15 15:46

Platform

win7-20230220-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ae72f6016f8929c7780693cadfb855ef.xls

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 292 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1476 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1476 wrote to memory of 892 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 892 wrote to memory of 1360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 812 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe
PID 1236 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ae72f6016f8929c7780693cadfb855ef.xls

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg1.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg2.ocx

C:\Windows\system32\regsvr32.exe

/S ..\phdg2.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\HknnkDB\WqHaDNzftjQjO.dll"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg3.ocx

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg4.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 bruidsfotografie-breda.nl udp
NL 141.138.168.131:80 bruidsfotografie-breda.nl tcp
NL 141.138.168.131:443 bruidsfotografie-breda.nl tcp
NL 141.138.168.131:443 bruidsfotografie-breda.nl tcp
NL 141.138.168.131:443 bruidsfotografie-breda.nl tcp
NL 141.138.168.131:443 bruidsfotografie-breda.nl tcp
US 8.8.8.8:53 www.chawkyfrenn.com udp
US 50.116.62.25:80 www.chawkyfrenn.com tcp
US 8.8.8.8:53 chiptochip.es udp
ES 185.186.169.202:443 chiptochip.es tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 chillpassion.com udp
US 172.81.116.81:80 chillpassion.com tcp
US 45.55.191.130:443 tcp
US 45.55.191.130:443 tcp
DE 213.239.212.5:443 213.239.212.5 tcp
US 135.148.6.80:443 tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 144.91.78.55:443 144.91.78.55 tcp
US 8.8.8.8:53 olargo.pt udp
US 172.67.149.202:443 olargo.pt tcp
JP 172.105.226.75:8080 172.105.226.75 tcp
GB 206.189.28.199:8080 206.189.28.199 tcp
ID 45.118.115.99:8080 tcp

Files

memory/1236-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\phdg2.ocx

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3

\Users\Admin\phdg2.ocx

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3

\Users\Admin\phdg2.ocx

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3

memory/892-62-0x0000000001DC0000-0x0000000001E14000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC22B.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

memory/1360-98-0x00000000003A0000-0x00000000003A1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\TarC35A.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f72bfadc0448e6a65eb7946a6013549
SHA1 5ff64fd4fc1a87d99247e3fa89ae89fc48561f35
SHA256 9432f26f033bd8fbf5097ca8be311588d44880d365bfef74ce93485f7bcca58e
SHA512 46f1614316202b4bb12856d4023c08d7f03d6343fd40e257a75e66cea3e148a72d86ab6963de621f1a825d829de123b32f33737f856ce1fe220284bf53ad7c1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9b9ed6b5ea8f2e57481d6c27a0fa01c
SHA1 e6e8c4c9f591e23d208483743d009b0a5b91fb5d
SHA256 20f74e32763cb838b273a66a89f2c0f4f04b81b5955984d6657b38414552b3fa
SHA512 cc92287a52cdc225bc9b9d4afef2edf10ba559bccf92355bc4a649f4b3c40c2c017e65f8e40cef46d69daa1529cbba944fd211f56dadf00335a23086b34c3180

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 365bc07b2942f6d4e2b9b60aa10b5db0
SHA1 9b11a68a4d4fde8a5f05ad9a6a397f706d1ba9fd
SHA256 e240efba239ad4b7fead560f6bee5f6235a6a5cd58531930cd0477457e0e2c04
SHA512 a1c636b0f9fb1578dfdde00510a014b90fdd435c41d7bdbd5a7fbb3a56fa07e9a3353eea06215341d205ebb68942f02cc4a3196aaf20e1bedce0e3a20ba2ca42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-15 15:44

Reported

2023-04-15 15:46

Platform

win10v2004-20230221-en

Max time kernel

152s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ae72f6016f8929c7780693cadfb855ef.xls"

Signatures

Emotet

trojan banker emotet

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\System32\regsvr32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\System32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ae72f6016f8929c7780693cadfb855ef.xls"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg1.ocx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg2.ocx

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg3.ocx

C:\Windows\system32\regsvr32.exe

C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RFPEyzZd\EspQlWHyssM.dll"

C:\Windows\System32\regsvr32.exe

C:\Windows\System32\regsvr32.exe /S ..\phdg4.ocx

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 24.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 bruidsfotografie-breda.nl udp
NL 141.138.168.131:80 bruidsfotografie-breda.nl tcp
NL 141.138.168.131:443 bruidsfotografie-breda.nl tcp
US 8.8.8.8:53 www.chawkyfrenn.com udp
US 8.8.8.8:53 131.168.138.141.in-addr.arpa udp
US 50.116.62.25:80 www.chawkyfrenn.com tcp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 25.62.116.50.in-addr.arpa udp
US 8.8.8.8:53 chiptochip.es udp
ES 185.186.169.202:443 chiptochip.es tcp
US 8.8.8.8:53 chillpassion.com udp
US 8.8.8.8:53 202.169.186.185.in-addr.arpa udp
US 172.81.116.81:80 chillpassion.com tcp
US 8.8.8.8:53 81.116.81.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 52.182.143.210:443 tcp
US 45.55.191.130:443 tcp
DE 213.239.212.5:443 213.239.212.5 tcp
US 8.8.8.8:53 5.212.239.213.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 135.148.6.80:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
DE 144.91.78.55:443 144.91.78.55 tcp
US 8.8.8.8:53 olargo.pt udp
US 172.67.149.202:443 olargo.pt tcp
US 8.8.8.8:53 80.6.148.135.in-addr.arpa udp
US 8.8.8.8:53 55.78.91.144.in-addr.arpa udp
US 8.8.8.8:53 202.149.67.172.in-addr.arpa udp
JP 172.105.226.75:8080 172.105.226.75 tcp
US 8.8.8.8:53 75.226.105.172.in-addr.arpa udp
GB 206.189.28.199:8080 206.189.28.199 tcp
US 8.8.8.8:53 199.28.189.206.in-addr.arpa udp
ID 45.118.115.99:8080 tcp

Files

memory/4100-133-0x00007FFCE28F0000-0x00007FFCE2900000-memory.dmp

memory/4100-135-0x00007FFCE28F0000-0x00007FFCE2900000-memory.dmp

memory/4100-134-0x00007FFCE28F0000-0x00007FFCE2900000-memory.dmp

memory/4100-136-0x00007FFCE28F0000-0x00007FFCE2900000-memory.dmp

memory/4100-137-0x00007FFCE28F0000-0x00007FFCE2900000-memory.dmp

memory/4100-138-0x00007FFCE00F0000-0x00007FFCE0100000-memory.dmp

memory/4100-139-0x00007FFCE00F0000-0x00007FFCE0100000-memory.dmp

C:\Users\Admin\phdg2.ocx

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3

C:\Users\Admin\phdg2.ocx

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3

memory/3152-154-0x00000000026E0000-0x0000000002734000-memory.dmp

memory/3152-158-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Windows\System32\RFPEyzZd\EspQlWHyssM.dll

MD5 1fa4a8d4e4758f0e2b12cdd959fe0bf3
SHA1 d4a4ee89c8f0e8c00e5990c937cd3d1decf021fa
SHA256 4d7ccf2bba4cbce46dc8d694eed0894985fd494e47f846e88fe23e714aa42e59
SHA512 bbb924b83e7ee40ba0bd1150ce9b7b1f3360d27d3174b70b951cb6fdb9dd2d1a5246073dfed085ef491600ae9efd3cc46d8479fbbc5137d909abbf2ddde001c3