Windows Analysis Report
SecuriteInfo.com.Exploit.Siggen3.32567.15846.18516

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.32567.15846.18516 (renamed file extension from 18516 to xls)
Analysis ID: 632157
MD5: 8b2f1d8c5189b9a97624243d30d6ff36
SHA1: c2dcb3ea640cae6e974dd32cf12af400ceac46f9
SHA256: 2f10704047062f616e82e6ab4000864a7cde802b5bdef760da79a9204771bcb2
Tags: SilentBuilderxlsx
Infos:

Detection

Hidden Macro 4.0, Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls ReversingLabs: Detection: 39%
Antivirus detection for URL or domain
Source: https://173.82.82.196/t5 Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/ URL Reputation: Label: malware
Source: https://www.melisetotoaksesuar.com/catalog/controller/account/dqfKI/ Avira URL Cloud: Label: malware
Source: http://jr-software-web.net/aaabackupsqldb/11hYk3bHJ/ Avira URL Cloud: Label: malware
Source: https://173.82.82.196:8080/P5 Avira URL Cloud: Label: malware
Source: http://elamurray.com/athletics-carnival-2018/3UTZYr9D9f/ Avira URL Cloud: Label: malware
Source: https://173.82.82.196/ URL Reputation: Label: malware
Source: https://173.82.82.196:8080/;j Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: jr-software-web.net Virustotal: Detection: 10% Perma Link
Source: masyuk.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll ReversingLabs: Detection: 61%
Source: C:\Users\user\uxevr1.ocx ReversingLabs: Detection: 39%
Source: C:\Users\user\uxevr2.ocx Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\uxevr2.ocx ReversingLabs: Detection: 61%
Source: C:\Users\user\uxevr4.ocx Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\uxevr4.ocx ReversingLabs: Detection: 65%
Source: C:\Windows\System32\FUVVPG\TGCY.dll (copy) Metadefender: Detection: 37% Perma Link
Source: C:\Windows\System32\FUVVPG\TGCY.dll (copy) ReversingLabs: Detection: 61%
Source: C:\Windows\System32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll (copy) ReversingLabs: Detection: 39%
Source: C:\Windows\System32\VrLOhrB\szFRUu.dll (copy) Metadefender: Detection: 25% Perma Link
Source: C:\Windows\System32\VrLOhrB\szFRUu.dll (copy) ReversingLabs: Detection: 65%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr1.ocx Joe Sandbox ML: detected
Source: C:\Users\user\uxevr4.ocx Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Joe Sandbox ML: detected
Source: C:\Users\user\uxevr2.ocx Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 212.98.224.29:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 4_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 10_2_00000001800248B0

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.melisetotoaksesuar.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 212.98.224.29:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 212.98.224.29:443

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MULTA-ASN1US MULTA-ASN1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 173.82.82.196 173.82.82.196
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 23 May 2022 09:38:30 GMTServer: ApacheCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Mon, 23 May 2022 09:38:30 GMTContent-Disposition: attachment; filename="F3DOS06hLF1rUq3s6XOB.dll"Content-Transfer-Encoding: binarySet-Cookie: 628b5616d3c74=1653298710; expires=Mon, 23-May-2022 09:39:30 GMT; Max-Age=60; path=/Last-Modified: Mon, 23 May 2022 09:38:30 GMTContent-Length: 376320Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea 8c e5 53 ae ed 8b 00 ae ed 8b 00 ae ed 8b 00 c1 9b 15 00 a4 ed 8b 00 c1 9b 21 00 ce ed 8b 00 a7 95 18 00 a9 ed 8b 00 ae ed 8a 00 cb ed 8b 00 c1 9b 20 00 84 ed 8b 00 c1 9b 10 00 af ed 8b 00 c1 9b 11 00 af ed 8b 00 ae ed 1c 00 ac ed 8b 00 c1 9b 16 00 af ed 8b 00 52 69 63 68 ae ed 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 c5 a2 86 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 60 01 00 00 82 04 00 00 00 00 00 7c 90 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 90 fc 01 00 72 00 00 00 24 f2 01 00 50 00 00 00 00 70 02 00 98 90 03 00 00 50 02 00 3c 12 00 00 00 00 00 00 00 00 00 00 00 10 06 00 d0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 01 00 20 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5e 01 00 00 10 00 00 00 60 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 8d 00 00 00 70 01 00 00 8e 00 00 00 64 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 10 43 00 00 00 00 02 00 00 1c 00 00 00 f2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 3c 12 00 00 00 50 02 00 00 14 00 00 00 0e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 98 90 03 00 00 70 02 00 00 92 03 00 00 22 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 08 00 00 00 10 06 00 00 0a 00 00 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!Th
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKCache-Control: privatePragma: no-cacheContent-Type: application/x-msdownloadExpires: Mon, 23 May 2022 09:39:24 GMTLast-Modified: Mon, 23 May 2022 09:39:24 GMTServer: Microsoft-IIS/8.5Set-Cookie: 628b564cc20b8=1653298764; expires=Mon, 23-May-2022 09:40:24 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="LjSKxP.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETDate: Mon, 23 May 2022 09:39:24 GMTContent-Length: 365056Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 99 b3 07 38 dd d2 69 6b dd d2 69 6b dd d2 69 6b b2 a4 c3 6b 83 d2 69 6b b2 a4 f7 6b d7 d2 69 6b d4 aa fa 6b da d2 69 6b dd d2 68 6b 84 d2 69 6b b2 a4 c2 6b f6 d2 69 6b b2 a4 f2 6b dc d2 69 6b b2 a4 f3 6b dc d2 69 6b b2 a4 f4 6b dc d2 69 6b 52 69 63 68 dd d2 69 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 76 7b 87 62 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 04 02 00 00 8a 03 00 00 00 00 00 80 35 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 05 00 02 00 00 00 00 00 05 00 02 00 00 00 00 00 00 f0 05 00 00 04 00 00 f5 54 06 00 02 00 40 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 d0 aa 02 00 84 00 00 00 04 a2 02 00 50 00 00 00 00 00 03 00 fc d1 02 00 00 f0 02 00 cc 0f 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fa 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 54 8b 00 00 00 20 02 00 00 8c 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 37 00 00 00 b0 02 00 00 14 00 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 cc 0f 00 00 00 f0 02 00 00 10 00 00 00 a8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 fc d1 02 00 00 00 03 00 00 d2 02 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f2 06 00 00 00 e0 05 00 00 08 00 00 00 8a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /catalog/controller/account/dqfKI/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.melisetotoaksesuar.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /athletics-carnival-2018/3UTZYr9D9f/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: elamurray.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /aaabackupsqldb/11hYk3bHJ/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jr-software-web.netConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49176 -> 173.82.82.196:8080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: unknown TCP traffic detected without corresponding DNS query: 173.82.82.196
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.com
Source: regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000004.00000002.1330847562.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330687198.0000000000298000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000A.00000002.1330703562.00000000002B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
Source: regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoc
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000004.00000002.1330694455.000000000035D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.995102678.000000000035D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330703562.00000000002B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196/
Source: regsvr32.exe, 0000000A.00000002.1330703562.00000000002B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196/t5
Source: regsvr32.exe, 00000004.00000002.1330847562.0000000002B0E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330703562.00000000002B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/
Source: regsvr32.exe, 00000004.00000003.994995885.0000000000319000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1330650184.0000000000319000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/;j
Source: regsvr32.exe, 0000000A.00000002.1330703562.00000000002B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://173.82.82.196:8080/P5
Source: regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.co
Source: regsvr32.exe, 00000004.00000002.1330857701.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1330928255.0000000002CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Jump to behavior
Source: unknown DNS traffic detected: queries for: www.melisetotoaksesuar.com
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006B24 InternetReadFile, 4_2_0000000180006B24
Source: global traffic HTTP traffic detected: GET /catalog/controller/account/dqfKI/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.melisetotoaksesuar.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /athletics-carnival-2018/3UTZYr9D9f/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: elamurray.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /aaabackupsqldb/11hYk3bHJ/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jr-software-web.netConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 212.98.224.29:443 -> 192.168.2.22:49173 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.7fef74e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.7fef74e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1045326687.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1246167639.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1043672684.00000000002D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1245776901.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1330732797.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913587412.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1246196239.000007FEF74E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914096023.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1331020678.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1330526390.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1331411753.000007FEF74E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1331036064.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\uxevr2.ocx, type: DROPPED

System Summary
barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Found malicious Excel 4.0 Macro
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Macro extractor: Sheet: PKEKPPGEKKPGE contains: URLDownloadToFileA
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Found Excel 4.0 Macro with suspicious formulas
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Initial sample: EXEC
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Initial sample: EXEC
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\JQSPcFGJSVOMPtFX\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D212B0 3_2_000007FEF9D212B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25E01 3_2_000007FEF9D25E01
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D25CAD 3_2_000007FEF9D25CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D26850 3_2_000007FEF9D26850
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2443C 3_2_000007FEF9D2443C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D253FB 3_2_000007FEF9D253FB
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D24A70 3_2_000007FEF9D24A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00130000 3_2_00130000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C74 3_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002ACE8 3_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020118 3_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000359C 3_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E99C 3_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019628 3_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025A4C 3_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180009408 3_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023C14 3_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006414 3_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002582C 3_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B834 3_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000403C 3_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021444 3_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012044 3_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016054 3_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001705C 3_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001870 3_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F878 3_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014484 3_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015494 3_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000BC98 3_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008C9C 3_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800078A4 3_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F0A8 3_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E4AC 3_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800048B0 3_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001ACB4 3_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800090B4 3_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800270C0 3_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800024C0 3_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800280C8 3_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800050D4 3_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800234D8 3_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800150F0 3_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012500 3_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024104 3_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A10C 3_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028D10 3_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A524 3_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002D28 3_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E130 3_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180029134 3_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008134 3_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022140 3_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006954 3_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F554 3_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002B564 3_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012168 3_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013568 3_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024570 3_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180019178 3_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180025180 3_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001980 3_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021588 3_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001A988 3_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018190 3_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013994 3_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028998 3_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800061A0 3_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135A6 3_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016DA8 3_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800059AC 3_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800135B4 3_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001C1B8 3_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800025B8 3_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800085BC 3_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800015C0 3_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800295C8 3_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800229CC 3_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000E5D4 3_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002A5D8 3_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800261E0 3_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800079EC 3_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180023624 3_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018628 3_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017E2C 3_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180017638 3_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004E3C 3_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020E40 3_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015A64 3_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015264 3_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A26C 3_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007678 3_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001667C 3_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012680 3_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001E88 3_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000968C 3_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022290 3_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026A90 3_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000529C 3_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180020AA0 3_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180022AAC 3_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007EB4 3_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800162BC 3_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800252C0 3_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001AEC8 3_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001F6DC 3_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800026DC 3_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180002ADC 3_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001E2F4 3_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180016AF4 3_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DEF4 3_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001DEFC 3_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006308 3_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001370C 3_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180004B18 3_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015F24 3_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006B24 3_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000F328 3_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180021738 3_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002AF38 3_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180028348 3_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000DB4C 3_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014F50 3_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B350 3_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A758 3_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018002975C 3_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180024370 3_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008370 3_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015774 3_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180012378 3_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180026B98 3_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001CF9C 3_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001EBA0 3_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018001B3A4 3_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D7AC 3_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800053B0 3_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180015BB8 3_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800207BC 3_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000FFC0 3_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800173DC 3_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180018BDC 3_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_004C0000 4_2_004C0000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000C819 4_2_000000018000C819
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019628 4_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025A4C 4_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001705C 4_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012864 4_2_0000000180012864
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180005C74 4_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 4_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800090B4 4_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800252C0 4_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800024C0 4_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024104 4_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006B24 4_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006F2C 4_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A758 4_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024570 4_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E99C 4_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001B3A4 4_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800079EC 4_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180009408 4_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023C14 4_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006414 4_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180023624 4_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018628 4_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002582C 4_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017E2C 4_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B834 4_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180017638 4_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000403C 4_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004E3C 4_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020E40 4_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021444 4_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012044 4_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016054 4_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015A64 4_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015264 4_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000A26C 4_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001870 4_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F878 4_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007678 4_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001667C 4_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012680 4_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014484 4_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001E88 4_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000968C 4_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022290 4_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026A90 4_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015494 4_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000BC98 4_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000529C 4_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008C9C 4_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020AA0 4_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800078A4 4_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F0A8 4_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022AAC 4_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001E4AC 4_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800048B0 4_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001ACB4 4_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180007EB4 4_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800162BC 4_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800270C0 4_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800280C8 4_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001AEC8 4_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800050D4 4_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800234D8 4_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001F6DC 4_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800026DC 4_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002ADC 4_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002ACE8 4_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800150F0 4_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001E2F4 4_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016AF4 4_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000DEF4 4_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001DEFC 4_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012500 4_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006308 4_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001370C 4_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A10C 4_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028D10 4_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180020118 4_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180004B18 4_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A524 4_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015F24 4_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F328 4_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180002D28 4_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E130 4_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180029134 4_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008134 4_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021738 4_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002AF38 4_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180022140 4_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028348 4_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000DB4C 4_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180014F50 4_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000B350 4_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006954 4_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000F554 4_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002975C 4_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002B564 4_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012168 4_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013568 4_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180024370 4_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180008370 4_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015774 4_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180012378 4_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180019178 4_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180025180 4_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180001980 4_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180021588 4_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001A988 4_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018190 4_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013994 4_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180026B98 4_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180028998 4_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001CF9C 4_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000359C 4_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001EBA0 4_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800061A0 4_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800135A6 4_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180016DA8 4_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800059AC 4_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000D7AC 4_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800053B0 4_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800135B4 4_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018001C1B8 4_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180015BB8 4_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800025B8 4_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800207BC 4_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800085BC 4_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800015C0 4_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000FFC0 4_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800295C8 4_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800229CC 4_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018000E5D4 4_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_000000018002A5D8 4_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800173DC 4_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180018BDC 4_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800261E0 4_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74E1964 5_2_000007FEF74E1964
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74ECC38 5_2_000007FEF74ECC38
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74F0720 5_2_000007FEF74F0720
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74EEDCC 5_2_000007FEF74EEDCC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74EC5D8 5_2_000007FEF74EC5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74EFDD0 5_2_000007FEF74EFDD0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74EC9FC 5_2_000007FEF74EC9FC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_001C0000 5_2_001C0000
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180005C74 5_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002ACE8 5_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000359C 5_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E99C 5_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019628 5_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025A9D 5_2_0000000180025A9D
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B7B2 5_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180009408 5_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023C14 5_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006414 5_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002582C 5_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B834 5_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000403C 5_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021444 5_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012044 5_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016054 5_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001705C 5_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001870 5_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F878 5_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014484 5_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015494 5_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000BC98 5_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008C9C 5_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800078A4 5_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F0A8 5_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001E4AC 5_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800048B0 5_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001ACB4 5_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800090B4 5_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800270C0 5_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800024C0 5_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800280C8 5_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800050D4 5_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800234D8 5_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800150F0 5_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012500 5_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180024104 5_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001A10C 5_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028D10 5_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020118 5_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001A524 5_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180002D28 5_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E130 5_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180029134 5_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008134 5_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022140 5_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006954 5_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F554 5_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002B564 5_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012168 5_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013568 5_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180024570 5_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180019178 5_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180025180 5_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001980 5_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021588 5_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001A988 5_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018190 5_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013994 5_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028998 5_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800061A0 5_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800135A6 5_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016DA8 5_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800059AC 5_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800135B4 5_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001C1B8 5_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800025B8 5_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800085BC 5_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800015C0 5_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800295C8 5_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800229CC 5_2_00000001800229CC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000E5D4 5_2_000000018000E5D4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002A5D8 5_2_000000018002A5D8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800261E0 5_2_00000001800261E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800079EC 5_2_00000001800079EC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180023624 5_2_0000000180023624
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018628 5_2_0000000180018628
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017E2C 5_2_0000000180017E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180017638 5_2_0000000180017638
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180004E3C 5_2_0000000180004E3C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020E40 5_2_0000000180020E40
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015A64 5_2_0000000180015A64
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015264 5_2_0000000180015264
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000A26C 5_2_000000018000A26C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007678 5_2_0000000180007678
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001667C 5_2_000000018001667C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012680 5_2_0000000180012680
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180001E88 5_2_0000000180001E88
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000968C 5_2_000000018000968C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022290 5_2_0000000180022290
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026A90 5_2_0000000180026A90
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000529C 5_2_000000018000529C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180020AA0 5_2_0000000180020AA0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180022AAC 5_2_0000000180022AAC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180007EB4 5_2_0000000180007EB4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800162BC 5_2_00000001800162BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800252C0 5_2_00000001800252C0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001AEC8 5_2_000000018001AEC8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001F6DC 5_2_000000018001F6DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800026DC 5_2_00000001800026DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180002ADC 5_2_0000000180002ADC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001E2F4 5_2_000000018001E2F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180016AF4 5_2_0000000180016AF4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000DEF4 5_2_000000018000DEF4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001DEFC 5_2_000000018001DEFC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006308 5_2_0000000180006308
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001370C 5_2_000000018001370C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180004B18 5_2_0000000180004B18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015F24 5_2_0000000180015F24
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180006B24 5_2_0000000180006B24
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000F328 5_2_000000018000F328
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180021738 5_2_0000000180021738
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002AF38 5_2_000000018002AF38
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180028348 5_2_0000000180028348
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000DB4C 5_2_000000018000DB4C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180014F50 5_2_0000000180014F50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000B350 5_2_000000018000B350
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000A758 5_2_000000018000A758
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018002975C 5_2_000000018002975C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180024370 5_2_0000000180024370
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180008370 5_2_0000000180008370
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015774 5_2_0000000180015774
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180012378 5_2_0000000180012378
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180026B98 5_2_0000000180026B98
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001CF9C 5_2_000000018001CF9C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001EBA0 5_2_000000018001EBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018001B3A4 5_2_000000018001B3A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D7AC 5_2_000000018000D7AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800053B0 5_2_00000001800053B0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180015BB8 5_2_0000000180015BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800207BC 5_2_00000001800207BC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000FFC0 5_2_000000018000FFC0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00000001800173DC 5_2_00000001800173DC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180018BDC 5_2_0000000180018BDC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF91912B0 9_2_000007FEF91912B0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF9195E01 9_2_000007FEF9195E01
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF9196850 9_2_000007FEF9196850
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF9195CAD 9_2_000007FEF9195CAD
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF91953FB 9_2_000007FEF91953FB
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF919443C 9_2_000007FEF919443C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF9194A70 9_2_000007FEF9194A70
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00130000 9_2_00130000
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180005C74 9_2_0000000180005C74
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002ACE8 9_2_000000018002ACE8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180020118 9_2_0000000180020118
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000359C 9_2_000000018000359C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000E99C 9_2_000000018000E99C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180019628 9_2_0000000180019628
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180025A4C 9_2_0000000180025A4C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002B7B2 9_2_000000018002B7B2
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180009408 9_2_0000000180009408
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180023C14 9_2_0000000180023C14
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006414 9_2_0000000180006414
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002582C 9_2_000000018002582C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000B834 9_2_000000018000B834
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000403C 9_2_000000018000403C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180021444 9_2_0000000180021444
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012044 9_2_0000000180012044
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180016054 9_2_0000000180016054
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001705C 9_2_000000018001705C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180001870 9_2_0000000180001870
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001F878 9_2_000000018001F878
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180014484 9_2_0000000180014484
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180015494 9_2_0000000180015494
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000BC98 9_2_000000018000BC98
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180008C9C 9_2_0000000180008C9C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800078A4 9_2_00000001800078A4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001F0A8 9_2_000000018001F0A8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001E4AC 9_2_000000018001E4AC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800048B0 9_2_00000001800048B0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001ACB4 9_2_000000018001ACB4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800090B4 9_2_00000001800090B4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800270C0 9_2_00000001800270C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800024C0 9_2_00000001800024C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800280C8 9_2_00000001800280C8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800050D4 9_2_00000001800050D4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800234D8 9_2_00000001800234D8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800150F0 9_2_00000001800150F0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012500 9_2_0000000180012500
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180024104 9_2_0000000180024104
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A10C 9_2_000000018001A10C
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180028D10 9_2_0000000180028D10
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A524 9_2_000000018001A524
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180002D28 9_2_0000000180002D28
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000E130 9_2_000000018000E130
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180029134 9_2_0000000180029134
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180008134 9_2_0000000180008134
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180022140 9_2_0000000180022140
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180006954 9_2_0000000180006954
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000F554 9_2_000000018000F554
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018002B564 9_2_000000018002B564
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180012168 9_2_0000000180012168
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013568 9_2_0000000180013568
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180024570 9_2_0000000180024570
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180019178 9_2_0000000180019178
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180025180 9_2_0000000180025180
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180001980 9_2_0000000180001980
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180021588 9_2_0000000180021588
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001A988 9_2_000000018001A988
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180018190 9_2_0000000180018190
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013994 9_2_0000000180013994
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180028998 9_2_0000000180028998
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800061A0 9_2_00000001800061A0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800135A6 9_2_00000001800135A6
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180016DA8 9_2_0000000180016DA8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800059AC 9_2_00000001800059AC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800135B4 9_2_00000001800135B4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018001C1B8 9_2_000000018001C1B8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800025B8 9_2_00000001800025B8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800085BC 9_2_00000001800085BC
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800015C0 9_2_00000001800015C0
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800295C8 9_2_00000001800295C8
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_00000001800229CC 9_2_00000001800229CC
Found potential string decryption / allocating functions
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9197FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF919BD70 appears 113 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF74E1628 appears 214 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF919B3B0 appears 148 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D27FF0 appears 31 times
Source: C:\Windows\System32\regsvr32.exe Code function: String function: 000007FEF9D2BD70 appears 113 times
Abnormal high CPU Usage
Source: C:\Windows\System32\regsvr32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Macro extractor: Sheet name: PKEKPPGEKKPGE
PE file contains strange resources
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: uxevr2.ocx.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll 67C21491D013E6DBE6E123530F6686010163E75EF3DF41CEEBF7601C78692434
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll 8975189B8CB95CA5DC8EDAE1AC48C816A065467355B5C8678C6D9C0323C8F13B
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll 38B418029CB9E717604336AC6B2AF141A8549EFA0B7DA970CBEE4E0FA199A056
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls ReversingLabs: Detection: 39%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VrLOhrB\szFRUu.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FUVVPG\TGCY.dll"
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr2.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr3.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\uxevr4.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FUVVPG\TGCY.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VrLOhrB\szFRUu.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR53D9.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@16/15@4/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls OLE indicator, Workbook stream: true
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls.0.dr OLE indicator, Workbook stream: true
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180006F2C CloseHandle,Process32FirstW,CreateToolhelp32Snapshot,Process32NextW, 4_2_0000000180006F2C
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.32567.15846.xls Initial sample: OLE indicators vbamacros = False
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000C892 push ebp; retf 3_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D095 push B3B8007Eh; iretd 3_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D0F3 push ebp; iretd 3_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180013551 push ebx; retf 3_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000D15D push ebx; retn 0068h 3_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CDA8 push ebp; iretd 3_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000CE36 push 458B0086h; iretd 3_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0000000180013551 push ebx; retf 4_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000C892 push ebp; retf 5_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D095 push B3B8007Eh; iretd 5_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D0F3 push ebp; iretd 5_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_0000000180013551 push ebx; retf 5_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000D15D push ebx; retn 0068h 5_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000CDA8 push ebp; iretd 5_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000000018000CE36 push 458B0086h; iretd 5_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000C892 push ebp; retf 9_2_000000018000C895
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000D095 push B3B8007Eh; iretd 9_2_000000018000D09A
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000D0F3 push ebp; iretd 9_2_000000018000D0F4
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_0000000180013551 push ebx; retf 9_2_0000000180013559
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000D15D push ebx; retn 0068h 9_2_000000018000D15E
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000CDA8 push ebp; iretd 9_2_000000018000CDA9
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000000018000CE36 push 458B0086h; iretd 9_2_000000018000CE3B
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_0000000180013551 push ebx; retf 10_2_0000000180013559
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
PE file contains an invalid checksum
Source: uxevr1.ocx.0.dr Static PE information: real checksum: 0x654f5 should be: 0x5c267
Source: LjSKxP[1].dll.0.dr Static PE information: real checksum: 0x654f5 should be: 0x5d0fb
Source: uxevr2.ocx.0.dr Static PE information: real checksum: 0x0 should be: 0x667cb
Source: CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll.0.dr Static PE information: real checksum: 0x654f5 should be: 0x5c267
Source: F3DOS06hLF1rUq3s6XOB[1].dll.0.dr Static PE information: real checksum: 0x0 should be: 0x667cb
Source: uxevr4.ocx.0.dr Static PE information: real checksum: 0x654f5 should be: 0x5d0fb
Registers a DLL
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll"
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\VrLOhrB\szFRUu.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FUVVPG\TGCY.dll (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\VrLOhrB\szFRUu.dll (copy) Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\FUVVPG\TGCY.dll (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr1.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr2.ocx Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\uxevr4.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\FUVVPG\TGCY.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\VrLOhrB\szFRUu.dll:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 1320 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2944 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 948 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 768 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1120 Thread sleep time: -120000s >= -30000s Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\System32\regsvr32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\CPZby9k8xhW2TaPgwsAagxTpGuhIkFrK[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LjSKxP[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.2 %
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.2 %
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 4_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe Code function: 10_2_00000001800248B0 FindFirstFileW,FindNextFileW,FindClose, 10_2_00000001800248B0
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000005.00000002.1245924691.000000000030A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: regsvr32.exe, 00000003.00000002.913710078.00000000002CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware_SAT
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30215 _itow_s,_invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,_wcsftime_l,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_invoke_watson_if_error,_snwprintf_s,_invoke_watson_if_oneof,_invoke_watson_if_error,_invoke_watson_if_oneof,_invoke_watson_if_error,_unlock,GetFileType,WriteConsoleW,GetLastError,_invoke_watson_if_oneof,WriteFile,WriteFile,OutputDebugStringW,_itow_s,_invoke_watson_if_error, 3_2_000007FEF9D30215
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D30CC0 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 3_2_000007FEF9D30CC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D23280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000007FEF9D23280
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D2BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000007FEF9D2BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74EF298 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_000007FEF74EF298
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_000007FEF74E8670 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_000007FEF74E8670
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF919BE50 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 9_2_000007FEF919BE50
Source: C:\Windows\System32\regsvr32.exe Code function: 9_2_000007FEF9193280 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_000007FEF9193280

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 173.82.82.196 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\JQSPcFGJSVOMPtFX\ZXsHFctgkSbxp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FUVVPG\TGCY.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VrLOhrB\szFRUu.dll" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free, 5_2_000007FEF74F4C0C
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA, 5_2_000007FEF74F383C
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s, 5_2_000007FEF74F3EB8
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 5_2_000007FEF74F3E4C
Source: C:\Windows\System32\regsvr32.exe Code function: EnumSystemLocalesA, 5_2_000007FEF74F3DB4
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW, 5_2_000007FEF74F39B4
Source: C:\Windows\System32\regsvr32.exe Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW, 5_2_000007FEF74F3C84
Source: C:\Windows\System32\regsvr32.exe Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW, 5_2_000007FEF74EF070
Source: C:\Windows\System32\regsvr32.exe Code function: GetLocaleInfoW, 5_2_000007FEF74F3924
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28900 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_000007FEF9D28900
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000007FEF9D28860 HeapCreate,GetVersion,HeapSetInformation, 3_2_000007FEF9D28860

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 9.2.regsvr32.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.regsvr32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.regsvr32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.7fef74e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.7fef74e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1045326687.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1246167639.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1043672684.00000000002D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1245776901.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1330732797.00000000004D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.913587412.00000000001E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1246196239.000007FEF74E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.914096023.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1331020678.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1330526390.00000000001C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1331411753.000007FEF74E1000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1331036064.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\F3DOS06hLF1rUq3s6XOB[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\uxevr2.ocx, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 632157 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 23/05/2022 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 10 other signatures 2->60 7 EXCEL.EXE 7 24 2->7         started        12 svchost.exe 2->12         started        process3 dnsIp4 46 jr-software-web.net 138.219.41.210, 49178, 80 DattateccomAR Argentina 7->46 48 masyuk.com 128.199.252.32, 80 DIGITALOCEAN-ASNUS United Kingdom 7->48 50 3 other IPs or domains 7->50 32 C:\Users\user\uxevr4.ocx, PE32+ 7->32 dropped 34 C:\Users\user\uxevr2.ocx, PE32+ 7->34 dropped 36 C:\Users\user\uxevr1.ocx, PE32+ 7->36 dropped 38 4 other malicious files 7->38 dropped 64 Document exploit detected (creates forbidden files) 7->64 66 Document exploit detected (UrlDownloadToFile) 7->66 14 regsvr32.exe 2 7->14         started        18 regsvr32.exe 2 7->18         started        20 regsvr32.exe 2 7->20         started        22 regsvr32.exe 7->22         started        file5 signatures6 process7 file8 40 C:\Windows\System32\...\szFRUu.dll (copy), PE32+ 14->40 dropped 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->68 24 regsvr32.exe 14->24         started        42 C:\Windows\...\ZXsHFctgkSbxp.dll (copy), PE32+ 18->42 dropped 27 regsvr32.exe 2 18->27         started        44 C:\Windows\System32\FUVVPG\TGCY.dll (copy), PE32+ 20->44 dropped 30 regsvr32.exe 20->30         started        signatures9 process10 dnsIp11 62 System process connects to network (likely due to code injection or exploit) 24->62 52 173.82.82.196, 49176, 49179, 8080 MULTA-ASN1US United States 27->52 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
128.199.252.32
 masyuk.com United Kingdom
14061 DIGITALOCEAN-ASNUS false
173.82.82.196
 unknown United States
35916 MULTA-ASN1US true
138.219.41.210
 jr-software-web.net Argentina
27823 DattateccomAR true
212.98.224.29
 melisetotoaksesuar.com Turkey
15924 BORUSANTELEKOM-ASTR false
66.84.31.11
 elamurray.com United States
17054 AS17054US false

Contacted Domains

Name IP Active
elamurray.com 66.84.31.11 true
jr-software-web.net 138.219.41.210 true
masyuk.com 128.199.252.32 true
melisetotoaksesuar.com 212.98.224.29 true
www.melisetotoaksesuar.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.melisetotoaksesuar.com/catalog/controller/account/dqfKI/ true
  • Avira URL Cloud: malware
 unknown
http://jr-software-web.net/aaabackupsqldb/11hYk3bHJ/ true
  • Avira URL Cloud: malware
 unknown
http://elamurray.com/athletics-carnival-2018/3UTZYr9D9f/ true
  • Avira URL Cloud: malware
 unknown