Windows Analysis Report
Documento.xlsm

Overview

General Information

Sample Name: Documento.xlsm
Analysis ID: 578182
MD5: 5acc6f1ff8366ddc895392da4e6a50e3
SHA1: 45b3ef65a4dabdbbefec603fe3dca9bfb1c5c643
SHA256: 0bb184f9c3e9cda4571bd806b90dbda484c331d9dce7af784405fd211f6c71c4
Tags: xlsm
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Regsvr32 Command Line Without DLL
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Network Activity
Found Excel 4.0 Macro with suspicious formulas
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Document exploit detected (UrlDownloadToFile)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Document misses a certain OLE stream usually present in this Microsoft Office document type
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to retrieve information about pressed keystrokes
Drops PE files to the user directory
Excel documents contains an embedded macro which executes code when the document is opened
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sigma detected: Excel Network Connections
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://135.148.121.246/j Avira URL Cloud: Label: malware
Source: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A Avira URL Cloud: Label: malware
Source: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H Avira URL Cloud: Label: malware
Source: https://135.148.121.246/b Avira URL Cloud: Label: malware
Found malware configuration
Source: 9.2.regsvr32.exe.190000.0.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["135.148.121.246:8080", "213.190.4.223:7080", "175.107.196.192:80", "46.55.222.11:443", "153.126.203.229:8080", "138.185.72.26:8080", "45.118.135.203:7080", "107.182.225.142:8080", "195.154.133.20:443", "79.172.212.216:8080", "129.232.188.93:443", "50.30.40.196:8080", "131.100.24.231:80", "58.227.42.236:80", "216.158.226.206:443", "45.118.115.99:8080", "51.254.140.238:7080", "173.212.193.249:8080", "110.232.117.186:8080", "81.0.236.90:443", "158.69.222.101:443", "103.75.201.2:443", "185.157.82.211:8080", "176.104.106.96:8080", "82.165.152.127:8080", "156.67.219.84:7080", "212.237.17.99:8080", "178.128.83.165:80", "162.243.175.63:443", "45.142.114.231:8080", "103.134.85.85:80", "178.79.147.66:8080", "31.24.158.56:8080", "103.75.201.4:443", "217.182.143.207:443", "159.8.59.82:8080", "164.68.99.3:8080", "209.126.98.206:8080", "207.38.84.195:8080", "119.235.255.201:8080", "212.24.98.99:8080", "212.237.56.116:7080", "50.116.54.215:443", "45.176.232.124:443", "203.114.109.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Multi AV Scanner detection for submitted file
Source: Documento.xlsm Virustotal: Detection: 40% Perma Link
Source: Documento.xlsm ReversingLabs: Detection: 39%
Multi AV Scanner detection for domain / URL
Source: www.swaong.com Virustotal: Detection: 5% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000D150 SendMessageA,SendMessageA,SendMessageA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,SHGetFileInfoA,SendMessageA,SHGetFileInfoA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,LoadCursorA,CopyIcon,LoadCursorFromFileA,ShowCursor,ShowCursor,SetSystemCursor,ShowCursor,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadMenuA,LoadIconA,_strncpy,VariantClear,VariantClear,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,VariantClear,VariantClear,VariantClear,VariantClear, 3_2_1000D150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002084E __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_1002084E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002A9C8 LoadIconA,FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s, 3_2_1002A9C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_002627C2 FindFirstFileW, 11_2_002627C2

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: BRqk58WkNweubruYwrLOt[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 135.148.121.246:8080
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.swaong.com

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 135.148.121.246 144 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 135.148.121.246:8080
Source: Malware configuration extractor IPs: 213.190.4.223:7080
Source: Malware configuration extractor IPs: 175.107.196.192:80
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 153.126.203.229:8080
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 79.172.212.216:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 50.30.40.196:8080
Source: Malware configuration extractor IPs: 131.100.24.231:80
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 51.254.140.238:7080
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 185.157.82.211:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 82.165.152.127:8080
Source: Malware configuration extractor IPs: 156.67.219.84:7080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 178.128.83.165:80
Source: Malware configuration extractor IPs: 162.243.175.63:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 103.134.85.85:80
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 31.24.158.56:8080
Source: Malware configuration extractor IPs: 103.75.201.4:443
Source: Malware configuration extractor IPs: 217.182.143.207:443
Source: Malware configuration extractor IPs: 159.8.59.82:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 209.126.98.206:8080
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 119.235.255.201:8080
Source: Malware configuration extractor IPs: 212.24.98.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 45.176.232.124:443
Source: Malware configuration extractor IPs: 203.114.109.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: S-NET-ASPL S-NET-ASPL
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 185.157.82.211 185.157.82.211
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49168 -> 135.148.121.246:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 24
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab-
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enbH
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://135.148.121.246/b
Source: regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://135.148.121.246/j
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3429A7BE.jpeg Jump to behavior
Source: unknown DNS traffic detected: queries for: www.swaong.com
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002818E recv, 3_2_1002818E
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002B47F SendMessageA,SendMessageA,GetAsyncKeyState,SendMessageA, 3_2_1002B47F
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100392CA __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent, 3_2_100392CA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001A057 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1001A057
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003684C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 3_2_1003684C

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.7e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Found malicious Excel 4.0 Macro
Source: Documento.xlsm Macro extractor: Sheet: EFWFSFG contains: URLDownloadToFileA
Source: Documento.xlsm Macro extractor: Sheet: EFWFSFG contains: URLDownloadToFileA
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12 Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xxw1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: Documento.xlsm Initial sample: EXEC
Source: Documento.xlsm Initial sample: EXEC
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10049274 3_2_10049274
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003D636 3_2_1003D636
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004380C 3_2_1004380C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004D8FC 3_2_1004D8FC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001B9A4 3_2_1001B9A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004FAC1 3_2_1004FAC1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003DB09 3_2_1003DB09
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004DE3E 3_2_1004DE3E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003DEDD 3_2_1003DEDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003C1E0 3_2_1003C1E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003E2E9 3_2_1003E2E9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004E380 3_2_1004E380
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10012490 3_2_10012490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003E709 3_2_1003E709
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004EA44 3_2_1004EA44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004AB9E 3_2_1004AB9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10044FE6 3_2_10044FE6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B8131 3_2_001B8131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B416E 3_2_001B416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A82D2 3_2_001A82D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A8844 3_2_001A8844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A4B40 3_2_001A4B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B4E54 3_2_001B4E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C0E7A 3_2_001C0E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A8FE9 3_2_001A8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A303A 3_2_001A303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A50CF 3_2_001A50CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C13A3 3_2_001C13A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A364E 3_2_001A364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C1E49 3_2_001C1E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BFECB 3_2_001BFECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B604B 3_2_001B604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A806B 3_2_001A806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AC151 3_2_001AC151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BE168 3_2_001BE168
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A22F7 3_2_001A22F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A4313 3_2_001A4313
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C23B9 3_2_001C23B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AA4DE 3_2_001AA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AE4F5 3_2_001AE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AC4E5 3_2_001AC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B0503 3_2_001B0503
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C05F6 3_2_001C05F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BE5ED 3_2_001BE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AE65A 3_2_001AE65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BA683 3_2_001BA683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B66C8 3_2_001B66C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B86EE 3_2_001B86EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A2710 3_2_001A2710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B2783 3_2_001B2783
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BA916 3_2_001BA916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B490E 3_2_001B490E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B8966 3_2_001B8966
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B6998 3_2_001B6998
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AA9CF 3_2_001AA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C0A01 3_2_001C0A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001ACA3C 3_2_001ACA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B2B1F 3_2_001B2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AED0A 3_2_001AED0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001ACDE0 3_2_001ACDE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B6E97 3_2_001B6E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AAEBB 3_2_001AAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BEEC2 3_2_001BEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B8EF8 3_2_001B8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BAF0B 3_2_001BAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A2F36 3_2_001A2F36
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BCFA0 3_2_001BCFA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A7013 3_2_001A7013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B9054 3_2_001B9054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B7098 3_2_001B7098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B3094 3_2_001B3094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BD15E 3_2_001BD15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B519C 3_2_001B519C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A71E3 3_2_001A71E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B3231 3_2_001B3231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B9285 3_2_001B9285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A9343 3_2_001A9343
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001AD4BC 3_2_001AD4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BD4AE 3_2_001BD4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A958A 3_2_001A958A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B35A3 3_2_001B35A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BF5D9 3_2_001BF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B7730 3_2_001B7730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A7761 3_2_001A7761
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B17D2 3_2_001B17D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BF7F4 3_2_001BF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A186B 3_2_001A186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A188C 3_2_001A188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B3983 3_2_001B3983
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BF9AF 3_2_001BF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C1A0A 3_2_001C1A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B9A0C 3_2_001B9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A1A5F 3_2_001A1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BFAD1 3_2_001BFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001ABB14 3_2_001ABB14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B1B29 3_2_001B1B29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B7B9E 3_2_001B7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A9C1B 3_2_001A9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BBD63 3_2_001BBD63
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A1DCA 3_2_001A1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B7E3D 3_2_001B7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001B3E89 3_2_001B3E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001BDF2B 3_2_001BDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A3F5A 3_2_001A3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001C1FC7 3_2_001C1FC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023303A 4_2_0023303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00250E7A 4_2_00250E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00238844 4_2_00238844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00251E49 4_2_00251E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023364E 4_2_0023364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00244E54 4_2_00244E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002350CF 4_2_002350CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024FECB 4_2_0024FECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002382D2 4_2_002382D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00248131 4_2_00248131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024416E 4_2_0024416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234B40 4_2_00234B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024D15E 4_2_0024D15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002513A3 4_2_002513A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00238FE9 4_2_00238FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00243231 4_2_00243231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247E3D 4_2_00247E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023CA3C 4_2_0023CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00250A01 4_2_00250A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00249A0C 4_2_00249A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00251A0A 4_2_00251A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00237013 4_2_00237013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00239C1B 4_2_00239C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023806B 4_2_0023806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023186B 4_2_0023186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024604B 4_2_0024604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00249054 4_2_00249054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023E65A 4_2_0023E65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00231A5F 4_2_00231A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024D4AE 4_2_0024D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023AEBB 4_2_0023AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023D4BC 4_2_0023D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00249285 4_2_00249285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024A683 4_2_0024A683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00243E89 4_2_00243E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023188C 4_2_0023188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00243094 4_2_00243094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00246E97 4_2_00246E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247098 4_2_00247098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023C4E5 4_2_0023C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002486EE 4_2_002486EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002322F7 4_2_002322F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023E4F5 4_2_0023E4F5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00248EF8 4_2_00248EF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024EEC2 4_2_0024EEC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002466C8 4_2_002466C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024FAD1 4_2_0024FAD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023A4DE 4_2_0023A4DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00241B29 4_2_00241B29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024DF2B 4_2_0024DF2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247730 4_2_00247730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00232F36 4_2_00232F36
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00240503 4_2_00240503
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023ED0A 4_2_0023ED0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024490E 4_2_0024490E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024AF0B 4_2_0024AF0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234313 4_2_00234313
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024A916 4_2_0024A916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00232710 4_2_00232710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023BB14 4_2_0023BB14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00242B1F 4_2_00242B1F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00237761 4_2_00237761
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00248966 4_2_00248966
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024BD63 4_2_0024BD63
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E168 4_2_0024E168
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00239343 4_2_00239343
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023C151 4_2_0023C151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00233F5A 4_2_00233F5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024CFA0 4_2_0024CFA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002435A3 4_2_002435A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024F9AF 4_2_0024F9AF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002523B9 4_2_002523B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00243983 4_2_00243983
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00242783 4_2_00242783
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023958A 4_2_0023958A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024519C 4_2_0024519C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247B9E 4_2_00247B9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00246998 4_2_00246998
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002371E3 4_2_002371E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023CDE0 4_2_0023CDE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E5ED 4_2_0024E5ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024F7F4 4_2_0024F7F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002505F6 4_2_002505F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00251FC7 4_2_00251FC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00231DCA 4_2_00231DCA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023A9CF 4_2_0023A9CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002417D2 4_2_002417D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024F5D9 4_2_0024F5D9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030303A 5_2_0030303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00320E7A 5_2_00320E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00314E54 5_2_00314E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00308844 5_2_00308844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00321E49 5_2_00321E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030364E 5_2_0030364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003082D2 5_2_003082D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031FECB 5_2_0031FECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003050CF 5_2_003050CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00318131 5_2_00318131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031416E 5_2_0031416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031D15E 5_2_0031D15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00304B40 5_2_00304B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003213A3 5_2_003213A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00308FE9 5_2_00308FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00313231 5_2_00313231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00317E3D 5_2_00317E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030CA3C 5_2_0030CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00307013 5_2_00307013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00309C1B 5_2_00309C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00320A01 5_2_00320A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00321A0A 5_2_00321A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00319A0C 5_2_00319A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030806B 5_2_0030806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030186B 5_2_0030186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00319054 5_2_00319054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030E65A 5_2_0030E65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00301A5F 5_2_00301A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031604B 5_2_0031604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030AEBB 5_2_0030AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030D4BC 5_2_0030D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031D4AE 5_2_0031D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00313094 5_2_00313094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00316E97 5_2_00316E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00317098 5_2_00317098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031A683 5_2_0031A683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00319285 5_2_00319285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00313E89 5_2_00313E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030188C 5_2_0030188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030E4F5 5_2_0030E4F5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003022F7 5_2_003022F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00318EF8 5_2_00318EF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030C4E5 5_2_0030C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003186EE 5_2_003186EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031FAD1 5_2_0031FAD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030A4DE 5_2_0030A4DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031EEC2 5_2_0031EEC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003166C8 5_2_003166C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00317730 5_2_00317730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00302F36 5_2_00302F36
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00311B29 5_2_00311B29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031DF2B 5_2_0031DF2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00302710 5_2_00302710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00304313 5_2_00304313
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030BB14 5_2_0030BB14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031A916 5_2_0031A916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00312B1F 5_2_00312B1F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00310503 5_2_00310503
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031AF0B 5_2_0031AF0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030ED0A 5_2_0030ED0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031490E 5_2_0031490E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00307761 5_2_00307761
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031BD63 5_2_0031BD63
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00318966 5_2_00318966
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031E168 5_2_0031E168
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030C151 5_2_0030C151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00303F5A 5_2_00303F5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00309343 5_2_00309343
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003223B9 5_2_003223B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031CFA0 5_2_0031CFA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003135A3 5_2_003135A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031F9AF 5_2_0031F9AF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00316998 5_2_00316998
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031519C 5_2_0031519C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00317B9E 5_2_00317B9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00313983 5_2_00313983
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00312783 5_2_00312783
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030958A 5_2_0030958A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003205F6 5_2_003205F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031F7F4 5_2_0031F7F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030CDE0 5_2_0030CDE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003071E3 5_2_003071E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031E5ED 5_2_0031E5ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003117D2 5_2_003117D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0031F5D9 5_2_0031F5D9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00321FC7 5_2_00321FC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00301DCA 5_2_00301DCA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0030A9CF 5_2_0030A9CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D50CF 6_2_008D50CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EFECB 6_2_008EFECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D82D2 6_2_008D82D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D303A 6_2_008D303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D364E 6_2_008D364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F1E49 6_2_008F1E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D8844 6_2_008D8844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E4E54 6_2_008E4E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F0E7A 6_2_008F0E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F13A3 6_2_008F13A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D8FE9 6_2_008D8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E8131 6_2_008E8131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D4B40 6_2_008D4B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008ED15E 6_2_008ED15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E416E 6_2_008E416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D188C 6_2_008D188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E3E89 6_2_008E3E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E9285 6_2_008E9285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EA683 6_2_008EA683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E7098 6_2_008E7098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E6E97 6_2_008E6E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E3094 6_2_008E3094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008ED4AE 6_2_008ED4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DD4BC 6_2_008DD4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DAEBB 6_2_008DAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E66C8 6_2_008E66C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EEEC2 6_2_008EEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DA4DE 6_2_008DA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EFAD1 6_2_008EFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E86EE 6_2_008E86EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DC4E5 6_2_008DC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E8EF8 6_2_008E8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DE4F5 6_2_008DE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D22F7 6_2_008D22F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E9A0C 6_2_008E9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F1A0A 6_2_008F1A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F0A01 6_2_008F0A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D9C1B 6_2_008D9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D7013 6_2_008D7013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DCA3C 6_2_008DCA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E7E3D 6_2_008E7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E3231 6_2_008E3231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E604B 6_2_008E604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D1A5F 6_2_008D1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DE65A 6_2_008DE65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E9054 6_2_008E9054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D806B 6_2_008D806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D186B 6_2_008D186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D958A 6_2_008D958A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E3983 6_2_008E3983
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E2783 6_2_008E2783
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E7B9E 6_2_008E7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E519C 6_2_008E519C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E6998 6_2_008E6998
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EF9AF 6_2_008EF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E35A3 6_2_008E35A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008ECFA0 6_2_008ECFA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F23B9 6_2_008F23B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DA9CF 6_2_008DA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D1DCA 6_2_008D1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F1FC7 6_2_008F1FC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EF5D9 6_2_008EF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E17D2 6_2_008E17D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EE5ED 6_2_008EE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DCDE0 6_2_008DCDE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D71E3 6_2_008D71E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008F05F6 6_2_008F05F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EF7F4 6_2_008EF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E490E 6_2_008E490E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EAF0B 6_2_008EAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DED0A 6_2_008DED0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E0503 6_2_008E0503
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E2B1F 6_2_008E2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EA916 6_2_008EA916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DBB14 6_2_008DBB14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D2710 6_2_008D2710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D4313 6_2_008D4313
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EDF2B 6_2_008EDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E1B29 6_2_008E1B29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D2F36 6_2_008D2F36
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E7730 6_2_008E7730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D9343 6_2_008D9343
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D3F5A 6_2_008D3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008DC151 6_2_008DC151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EE168 6_2_008EE168
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008E8966 6_2_008E8966
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D7761 6_2_008D7761
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008EBD63 6_2_008EBD63
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E303A 9_2_001E303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F4E54 9_2_001F4E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E364E 9_2_001E364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_00200E7A 9_2_00200E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E8844 9_2_001E8844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_00201E49 9_2_00201E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E82D2 9_2_001E82D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E50CF 9_2_001E50CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FFECB 9_2_001FFECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F8131 9_2_001F8131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FD15E 9_2_001FD15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E4B40 9_2_001E4B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F416E 9_2_001F416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_002013A3 9_2_002013A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E8FE9 9_2_001E8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E9C1B 9_2_001E9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E7013 9_2_001E7013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F9A0C 9_2_001F9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_00200A01 9_2_00200A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F7E3D 9_2_001F7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001ECA3C 9_2_001ECA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_00201A0A 9_2_00201A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F3231 9_2_001F3231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E1A5F 9_2_001E1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EE65A 9_2_001EE65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F9054 9_2_001F9054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F604B 9_2_001F604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E806B 9_2_001E806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E186B 9_2_001E186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F7098 9_2_001F7098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F6E97 9_2_001F6E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F3094 9_2_001F3094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E188C 9_2_001E188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F3E89 9_2_001F3E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F9285 9_2_001F9285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FA683 9_2_001FA683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001ED4BC 9_2_001ED4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EAEBB 9_2_001EAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FD4AE 9_2_001FD4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EA4DE 9_2_001EA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FFAD1 9_2_001FFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F66C8 9_2_001F66C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FEEC2 9_2_001FEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F8EF8 9_2_001F8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E22F7 9_2_001E22F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EE4F5 9_2_001EE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F86EE 9_2_001F86EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EC4E5 9_2_001EC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F2B1F 9_2_001F2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FA916 9_2_001FA916
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EBB14 9_2_001EBB14
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E4313 9_2_001E4313
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E2710 9_2_001E2710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F490E 9_2_001F490E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FAF0B 9_2_001FAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EED0A 9_2_001EED0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F0503 9_2_001F0503
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E2F36 9_2_001E2F36
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F7730 9_2_001F7730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FDF2B 9_2_001FDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F1B29 9_2_001F1B29
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E3F5A 9_2_001E3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EC151 9_2_001EC151
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E9343 9_2_001E9343
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FE168 9_2_001FE168
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F8966 9_2_001F8966
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FBD63 9_2_001FBD63
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E7761 9_2_001E7761
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F7B9E 9_2_001F7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F519C 9_2_001F519C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F6998 9_2_001F6998
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E958A 9_2_001E958A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_002023B9 9_2_002023B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F3983 9_2_001F3983
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F2783 9_2_001F2783
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FF9AF 9_2_001FF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F35A3 9_2_001F35A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FCFA0 9_2_001FCFA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FF5D9 9_2_001FF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001F17D2 9_2_001F17D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001EA9CF 9_2_001EA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E1DCA 9_2_001E1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_002005F6 9_2_002005F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_00201FC7 9_2_00201FC7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FF7F4 9_2_001FF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001FE5ED 9_2_001FE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E71E3 9_2_001E71E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001ECDE0 9_2_001ECDE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026303A 10_2_0026303A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00280E7A 10_2_00280E7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00281E49 10_2_00281E49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00268844 10_2_00268844
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026364E 10_2_0026364E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00274E54 10_2_00274E54
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002650CF 10_2_002650CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027FECB 10_2_0027FECB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002682D2 10_2_002682D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00278131 10_2_00278131
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027416E 10_2_0027416E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00264B40 10_2_00264B40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027D15E 10_2_0027D15E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002813A3 10_2_002813A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00268FE9 10_2_00268FE9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00273231 10_2_00273231
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00277E3D 10_2_00277E3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026CA3C 10_2_0026CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00281A0A 10_2_00281A0A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00280A01 10_2_00280A01
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00279A0C 10_2_00279A0C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00267013 10_2_00267013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00269C1B 10_2_00269C1B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026806B 10_2_0026806B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026186B 10_2_0026186B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027604B 10_2_0027604B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00279054 10_2_00279054
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00261A5F 10_2_00261A5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026E65A 10_2_0026E65A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027D4AE 10_2_0027D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026D4BC 10_2_0026D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026AEBB 10_2_0026AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00279285 10_2_00279285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0027A683 10_2_0027A683
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026188C 10_2_0026188C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00273E89 10_2_00273E89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00276E97 10_2_00276E97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00273094 10_2_00273094
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_00277098 10_2_00277098
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026C4E5 10_2_0026C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002786EE 10_2_002786EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002622F7 10_2_002622F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_0026E4F5 10_2_0026E4F5
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 8833.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Found a hidden Excel 4.0 Macro sheet
Source: Documento.xlsm Macro extractor: Sheet name: Br1
Source: Documento.xlsm Macro extractor: Sheet name: Br2
Source: Documento.xlsm Macro extractor: Sheet name: Br2
Source: Documento.xlsm Macro extractor: Sheet name: EFWFSFG
Source: Documento.xlsm Macro extractor: Sheet name: EFWFSFG
Source: Documento.xlsm Macro extractor: Sheet name: Br1
PE file contains strange resources
Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: xxw1.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xxw1.ocx.0.dr Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22527"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\File\23f\Cir-ZV\CIR\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{39997D78-22C7-4743-8ECE-3023C34473AE}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Grrr1" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="11" r:id="rId2"/><sheet name="Sbrr1" sheetId="3" state="hidden" r:id="rId3"/><sheet name="EFWFSFG" sheetId="8" state="hidden" r:id="rId4"/><sheet name="Br1" sheetId="4" state="hidden" r:id="rId5"/><sheet name="Br2" sheetId="5" state="hidden" r:id="rId6"/></sheets><definedNames><definedName name="DDDDD1">#REF!</definedName><definedName name="DDWD">EFWFSFG!$D$15</definedName><definedName name="DDWD1">EFWFSFG!$D$17</definedName><definedName name="DDWD2">EFWFSFG!$D$19</definedName><definedName name="DDWD3">EFWFSFG!$D$21</definedName><definedName name="DDWD4">EFWFSFG!$D$23</definedName><definedName name="DDWD8">EFWFSFG!$D$13</definedName><definedName name="KKLD8">#REF!</definedName><definedName name="_xlnm.Auto_Open">EFWFSFG!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000F3A0 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetWindowsDirectoryA,GetSystemDirectoryA,_strcspn,TerminateThread,SendMessageA,ExitWindowsEx, 3_2_1000F3A0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000FA35 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,TerminateThread,SendMessageA,ExitWindowsEx, 3_2_1000FA35
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000FAC4 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,TerminateThread,SendMessageA,ExitWindowsEx, 3_2_1000FAC4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000FFB0 SendMessageA,SendMessageA,TerminateThread,SendMessageA,ExitWindowsEx, 3_2_1000FFB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001005E SendMessageA,SendMessageA,TerminateThread,SendMessageA,ExitWindowsEx, 3_2_1001005E
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\ Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1003D219 appears 43 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1003D578 appears 76 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10001470 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 100171AA appears 37 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1003D1E6 appears 172 times
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Documento.xlsm Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSM@19/11@1/45
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10009DB0 CreateWindowExW,CreateWindowExW,GetLastError,ShowWindow,ShowWindow,CreateWindowExA,ShowWindow,CreateWindowExW,GetLastError,ShowWindow,CreateWindowExA,ShowWindow,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf, 3_2_10009DB0
Source: Documento.xlsm Virustotal: Detection: 40%
Source: Documento.xlsm ReversingLabs: Detection: 39%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000D150 SendMessageA,SendMessageA,SendMessageA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,SHGetFileInfoA,SendMessageA,SHGetFileInfoA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,LoadCursorA,CopyIcon,LoadCursorFromFileA,ShowCursor,ShowCursor,SetSystemCursor,ShowCursor,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadMenuA,LoadIconA,_strncpy,VariantClear,VariantClear,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,VariantClear,VariantClear,VariantClear,VariantClear, 3_2_1000D150
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE233.tmp Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_0024BE5E CreateToolhelp32Snapshot, 11_2_0024BE5E
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Documento.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Documento.xlsm Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 8833.tmp.0.dr Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003D2BE push ecx; ret 3_2_1003D2D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003D5BD push ecx; ret 3_2_1003D5D0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004BC5B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004BC5B
PE file contains an invalid checksum
Source: xxw1.ocx.0.dr Static PE information: real checksum: 0xb1065 should be: 0xabcb9
Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr Static PE information: real checksum: 0xb1065 should be: 0xabcb9
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xxw1.ocx Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xxw1.ocx Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xxw1.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100175E3 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100175E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000B6D0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_1000B6D0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1124 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2028 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 172 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2576 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1160 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2128 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2556 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3064 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2688 Thread sleep time: -240000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 3.0 %
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000D150 SendMessageA,SendMessageA,SendMessageA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,SHGetFileInfoA,SendMessageA,SHGetFileInfoA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,LoadCursorA,CopyIcon,LoadCursorFromFileA,ShowCursor,ShowCursor,SetSystemCursor,ShowCursor,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadMenuA,LoadIconA,_strncpy,VariantClear,VariantClear,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,VariantClear,VariantClear,VariantClear,VariantClear, 3_2_1000D150
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: regsvr32.exe, 00000008.00000002.467854306.00000000005B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: regsvr32.exe, 00000009.00000002.473212441.0000000000733000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003CAA2 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 3_2_1003CAA2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002084E __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_1002084E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002A9C8 LoadIconA,FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s, 3_2_1002A9C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_002627C2 FindFirstFileW, 11_2_002627C2
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004BC5B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004BC5B
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_001A32AC mov eax, dword ptr fs:[00000030h] 3_2_001A32AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002332AC mov eax, dword ptr fs:[00000030h] 4_2_002332AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_003032AC mov eax, dword ptr fs:[00000030h] 5_2_003032AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_008D32AC mov eax, dword ptr fs:[00000030h] 6_2_008D32AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_001E32AC mov eax, dword ptr fs:[00000030h] 9_2_001E32AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 10_2_002632AC mov eax, dword ptr fs:[00000030h] 10_2_002632AC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_002432AC mov eax, dword ptr fs:[00000030h] 11_2_002432AC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003B437 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1003B437
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10008DE0 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy, 3_2_10008DE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10049029 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_10049029
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003B437 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1003B437
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10041ACF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10041ACF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10048DD7 SetUnhandledExceptionFilter,__encode_pointer, 3_2_10048DD7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10048DF9 __decode_pointer,SetUnhandledExceptionFilter, 3_2_10048DF9

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 135.148.121.246 144 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee" Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 3_2_1004D1C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_1002583F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_100504E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004C93C cpuid 3_2_1004C93C
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10048CD7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_10048CD7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10047887 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 3_2_10047887
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003CEE0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd, 3_2_1003CEE0

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.7e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002847B bind, 3_2_1002847B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10010ED0 PeekMessageA,SendMessageA,_memset,recv,htons,SendMessageA,inet_ntoa,inet_ntoa,SendMessageA,inet_ntoa,SendMessageA,SendMessageA,htons,htons,SendMessageA,htons,SendMessageA,SendMessageA,SendMessageA,PeekMessageA,closesocket,socket,_memset,gethostbyname,inet_ntoa,inet_addr,setsockopt,htons,bind,WSAIoctl,closesocket, 3_2_10010ED0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 578182 Sample: Documento.xlsm Startdate: 24/02/2022 Architecture: WINDOWS Score: 100 57 129.232.188.93 xneeloZA South Africa 2->57 59 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->59 61 42 other IPs or domains 2->61 77 Multi AV Scanner detection for domain / URL 2->77 79 Found malware configuration 2->79 81 Antivirus detection for URL or domain 2->81 83 13 other signatures 2->83 15 EXCEL.EXE 64 24 2->15         started        signatures3 process4 dnsIp5 65 www.swaong.com 15->65 67 waws-prod-dm1-143.sip.azurewebsites.windows.net 15->67 69 swaong-home.azurewebsites.net 15->69 49 C:\Users\user\xxw1.ocx, PE32 15->49 dropped 51 C:\Users\...\BRqk58WkNweubruYwrLOt[1].dll, PE32 15->51 dropped 53 C:\Users\user\Desktop\~$Documento.xlsm, data 15->53 dropped 71 Document exploit detected (creates forbidden files) 15->71 73 Document exploit detected (UrlDownloadToFile) 15->73 20 regsvr32.exe 2 15->20         started        file6 signatures7 process8 file9 55 C:\Windows\...\qzdpzpnlmhwmidn.sqj (copy), PE32 20->55 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->87 24 regsvr32.exe 1 20->24         started        signatures10 process11 signatures12 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->91 27 regsvr32.exe 1 24->27         started        process13 signatures14 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->95 30 regsvr32.exe 1 27->30         started        process15 signatures16 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->97 33 regsvr32.exe 1 30->33         started        process17 signatures18 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->75 36 regsvr32.exe 1 33->36         started        process19 signatures20 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->85 39 regsvr32.exe 1 36->39         started        process21 signatures22 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->89 42 regsvr32.exe 1 39->42         started        process23 signatures24 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->93 45 regsvr32.exe 2 42->45         started        process25 dnsIp26 63 135.148.121.246, 49168, 8080 AVAYAUS United States 45->63 99 System process connects to network (likely due to code injection or exploit) 45->99 signatures27
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
185.157.82.211
 unknown Poland
42927 S-NET-ASPL true
79.172.212.216
 unknown Hungary
61998 SZERVERPLEXHU true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
51.254.140.238
 unknown France
16276 OVHFR true
119.235.255.201
 unknown Indonesia
45146 RAJASA-AS-ID-APPTRajaSepadanAbadiID true
212.24.98.99
 unknown Lithuania
62282 RACKRAYUABRakrejusLT true
213.190.4.223
 unknown Germany
47583 AS-HOSTINGERLT true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
153.126.203.229
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.75.201.4
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
209.126.98.206
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
156.67.219.84
 unknown Cyprus
47583 AS-HOSTINGERLT true
175.107.196.192
 unknown Pakistan
9541 CYBERNET-APCyberInternetServicesPvtLtdPK true
217.182.143.207
 unknown France
16276 OVHFR true
82.165.152.127
 unknown Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
131.100.24.231
 unknown Brazil
61635 GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR true
135.148.121.246
 unknown United States
18676 AVAYAUS true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
173.212.193.249
 unknown Germany
51167 CONTABODE true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
162.243.175.63
 unknown United States
14061 DIGITALOCEAN-ASNUS true
176.104.106.96
 unknown Serbia
198371 NINETRS true
31.24.158.56
 unknown Spain
50926 INFORTELECOM-ASES true
50.30.40.196
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
103.134.85.85
 unknown Indonesia
139943 IDNIC-GARUTKAB-AS-IDDinasKomunikasidanInformatikaKabupa true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
159.8.59.82
 unknown United States
36351 SOFTLAYERUS true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
158.69.222.101
 unknown Canada
16276 OVHFR true
178.128.83.165
 unknown Netherlands
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
www.swaong.com unknown unknown