Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
informe_30062022.xls

Overview

General Information

Sample Name:informe_30062022.xls
Analysis ID:655637
MD5:94db48e7998540a932a0698c1f9d8325
SHA1:e7fd09159aaf8ea2357de4daca3ce482ca9b2adc
SHA256:9bc74075f7f482e4166f2cde5213948915b9d9f7885e49ab434c9c036486ba56
Infos:

Detection

Hidden Macro 4.0, Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Office process drops PE file
Found Excel 4.0 Macro with suspicious formulas
Uses ipconfig to lookup or modify the Windows network settings
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to enumerate running services
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Registers a DLL
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Drops PE files to the user directory
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 964 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 684 cmdline: C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 1016 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
        • systeminfo.exe (PID: 1760 cmdline: systeminfo MD5: DEBEA7D13C96687CAB4248DE0B6A2CE8)
        • ipconfig.exe (PID: 2480 cmdline: ipconfig /all MD5: CF45949CDBB39C953331CDCB9CEC20F8)
        • nltest.exe (PID: 968 cmdline: nltest /dclist: MD5: B23E4D796A3FEB91241A806EC18D5C32)
    • regsvr32.exe (PID: 1224 cmdline: C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2544 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PjLQNSdPqGYp\jncSJNcDE.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
        • systeminfo.exe (PID: 2708 cmdline: systeminfo MD5: DEBEA7D13C96687CAB4248DE0B6A2CE8)
        • ipconfig.exe (PID: 2704 cmdline: ipconfig /all MD5: CF45949CDBB39C953331CDCB9CEC20F8)
        • nltest.exe (PID: 2868 cmdline: nltest /dclist: MD5: B23E4D796A3FEB91241A806EC18D5C32)
    • regsvr32.exe (PID: 2412 cmdline: C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2428 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YttRusg\GisEpTWmOuS.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1324 cmdline: C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2944 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll" MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • svchost.exe (PID: 3020 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
informe_30062022.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x154aa:$s1: Excel
  • 0x1653e:$s1: Excel
  • 0x3520:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\informe_30062022.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x154aa:$s1: Excel
  • 0x1653e:$s1: Excel
  • 0x3520:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\~DFE0F93AF5A2719FD8.TMPSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x154aa:$s1: Excel
  • 0x1653e:$s1: Excel
  • 0x3520:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1145826810.0000000002141000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000009.00000002.1212546662.0000000002070000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.1212794777.0000000000500000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.922476123.0000000002111000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000B.00000002.1212495449.0000000000281000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.regsvr32.exe.3c0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.regsvr32.exe.500000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                6.3.regsvr32.exe.21a0000.2.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.3.regsvr32.exe.37531c8.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    4.2.regsvr32.exe.140000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 21 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:192.168.2.22180.250.21.2491814432404316 07/01/22-11:38:36.385572
                      SID:2404316
                      Source Port:49181
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: informe_30062022.xlsVirustotal: Detection: 58%Perma Link
                      Source: informe_30062022.xlsMetadefender: Detection: 36%Perma Link
                      Source: informe_30062022.xlsReversingLabs: Detection: 57%
                      Antivirus detection for URL or domain
                      Source: https://www.hayalkatibi.com/catalog/pJix6SFfnbNWFMuu8m/Avira URL Cloud: Label: malware
                      Source: https://fikti.bem.gunadarma.ac.id/SDM/wC256Xn/Avira URL Cloud: Label: malware
                      Source: https://180.250.21.2/Avira URL Cloud: Label: malware
                      Source: https://174.138.33.49:7080/IAvira URL Cloud: Label: malware
                      Source: https://174.138.33.49:7080/Avira URL Cloud: Label: malware
                      Source: https://174.138.33.49:7080/MAvira URL Cloud: Label: malware
                      Source: https://174.138.33.49/eAvira URL Cloud: Label: malware
                      Source: https://hepsisifa.com/wp-content/T0kkNeOlvF/Avira URL Cloud: Label: malware
                      Source: https://174.138.33.49/pAvira URL Cloud: Label: malware
                      Source: https://aysbody.com/catalog/FlJ6iKCntAwfO85/Avira URL Cloud: Label: malware
                      Source: https://174.138.33.49/dsAvira URL Cloud: Label: malware
                      Source: https://174.138.33.49/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URL
                      Source: hepsisifa.comVirustotal: Detection: 10%Perma Link
                      Source: aysbody.comVirustotal: Detection: 16%Perma Link
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027B028 CryptBinaryToStringW,4_2_0027B028
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0215B028 CryptBinaryToStringW,6_2_0215B028
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: unknownHTTPS traffic detected: 212.98.224.29:443 -> 192.168.2.22:49171 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 213.128.75.146:443 -> 192.168.2.22:49172 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.165.46.170:443 -> 192.168.2.22:49173 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 118.98.72.14:443 -> 192.168.2.22:49174 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 180.250.21.2:443 -> 192.168.2.22:49181 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 180.250.21.2:443 -> 192.168.2.22:49182 version: TLS 1.2
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C9F0 FindFirstFileW,FindNextFileW,4_2_0027C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0215C9F0 FindFirstFileW,FindNextFileW,6_2_0215C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_020EC9F0 FindFirstFileW,FindNextFileW,9_2_020EC9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0029C9F0 FindFirstFileW,FindNextFileW,11_2_0029C9F0

                      Software Vulnerabilities

                      barindex
                      Document exploit detected (drops PE files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: zz64mUdXWhBECsusJb[1].dll.0.drJump to dropped file
                      Document exploit detected (creates forbidden files)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zz64mUdXWhBECsusJb[1].dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LEPqPJpt4Gbr8BHAn[1].dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Wli[1].dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pgsfQZfg7Qt[1].dllJump to behavior
                      Document exploit detected (process start blacklist hit)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
                      Document exploit detected (UrlDownloadToFile)
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
                      Source: global trafficDNS query: name: aysbody.com
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 212.98.224.29:443
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 212.98.224.29:443

                      Networking

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 174.138.33.49 7080Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 180.250.21.2 443Jump to behavior
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.22:49181 -> 180.250.21.2:443
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: Joe Sandbox ViewJA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=-----------HchsmYGNjTHost: 180.250.21.2Content-Length: 4532Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----------kSHgpeiTYLHost: 180.250.21.2Content-Length: 4494Connection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 174.138.33.49 174.138.33.49
                      Source: global trafficHTTP traffic detected: GET /catalog/FlJ6iKCntAwfO85/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aysbody.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/T0kkNeOlvF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hepsisifa.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /catalog/pJix6SFfnbNWFMuu8m/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.hayalkatibi.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /SDM/wC256Xn/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fikti.bem.gunadarma.ac.idConnection: Keep-Alive
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 174.138.33.49:7080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 174.138.33.49
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: regsvr32.exe, 00000004.00000002.1213030333.0000000002BF3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212930371.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: regsvr32.exe, 00000004.00000003.1000024393.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1212749807.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.984922139.00000000003D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1212749002.00000000003DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: regsvr32.exe, 00000006.00000002.1145993798.0000000002BCC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1212777558.0000000000406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme
                      Source: regsvr32.exe, 00000009.00000002.1212848980.0000000002D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabme-0q
                      Source: regsvr32.exe, 00000004.00000002.1212991124.0000000002BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabmeM
                      Source: regsvr32.exe, 00000009.00000002.1212477525.0000000000429000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en8I
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: regsvr32.exe, 00000004.00000003.984956310.00000000003E2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212848980.0000000002D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49/
                      Source: regsvr32.exe, 0000000B.00000002.1212804921.000000000041E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49/ds
                      Source: regsvr32.exe, 0000000B.00000002.1212804921.000000000041E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49/e
                      Source: regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49/p
                      Source: regsvr32.exe, 00000004.00000002.1212991124.0000000002BA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212848980.0000000002D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49:7080/
                      Source: regsvr32.exe, 0000000B.00000002.1212804921.000000000041E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49:7080/I
                      Source: regsvr32.exe, 0000000B.00000002.1212804921.000000000041E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://174.138.33.49:7080/M
                      Source: regsvr32.exe, 00000004.00000003.999897653.0000000002C84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.1213131028.0000000002C84000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146031491.0000000002C14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://180.250.21.2/
                      Source: regsvr32.exe, 00000004.00000002.1213014252.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1146008485.0000000002BEC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.1000297109.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.981377703.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.1145673940.000000000042E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1212882400.0000000002DA9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000B.00000002.1213004789.0000000002BC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=-----------HchsmYGNjTHost: 180.250.21.2Content-Length: 4532Connection: Keep-AliveCache-Control: no-cache
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zz64mUdXWhBECsusJb[1].dllJump to behavior
                      Source: unknownDNS traffic detected: queries for: aysbody.com
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005031E4 InternetReadFile,4_2_005031E4
                      Source: global trafficHTTP traffic detected: GET /catalog/FlJ6iKCntAwfO85/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: aysbody.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/T0kkNeOlvF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hepsisifa.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /catalog/pJix6SFfnbNWFMuu8m/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.hayalkatibi.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /SDM/wC256Xn/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: fikti.bem.gunadarma.ac.idConnection: Keep-Alive
                      Source: unknownHTTPS traffic detected: 212.98.224.29:443 -> 192.168.2.22:49171 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 213.128.75.146:443 -> 192.168.2.22:49172 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 185.165.46.170:443 -> 192.168.2.22:49173 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 118.98.72.14:443 -> 192.168.2.22:49174 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 180.250.21.2:443 -> 192.168.2.22:49181 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 180.250.21.2:443 -> 192.168.2.22:49182 version: TLS 1.2

                      E-Banking Fraud

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.500000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.regsvr32.exe.37531c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.regsvr32.exe.37531c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.20b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.500000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.20e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.20b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2070000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.3581b30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.21a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.3581b30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.35600f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.35600f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2070000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.20e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1145826810.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212546662.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212794777.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.922476123.0000000002111000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1212495449.0000000000281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.922324576.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212616896.00000000020D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212485334.0000000000261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984306856.0000000003671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1144792947.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.928931752.0000000000210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.981015029.0000000003541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984624100.0000000003736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1212368524.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.928977615.0000000000281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212376414.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.981139905.0000000003582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.941076199.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.909936865.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.940219777.0000000000240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1145771957.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984499206.0000000003735000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.909786385.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                      Source: Screenshot number: 4Screenshot OCR: Enable Editing and click Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
                      Source: Screenshot number: 4Screenshot OCR: Enable Content. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
                      Source: Screenshot number: 8Screenshot OCR: Enable Editing and click Enable Content 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
                      Source: Screenshot number: 8Screenshot OCR: Enable Content X E83 - "" & V \ A A B C D E F G H I J K L M N O P Q R S : 1 I Most features ar
                      Found malicious Excel 4.0 Macro
                      Source: informe_30062022.xlsMacro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
                      Source: informe_30062022.xlsMacro extractor: Sheet: Sheet7 contains: URLDownloadToFileA
                      Office process drops PE file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LEPqPJpt4Gbr8BHAn[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm3.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm2.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zz64mUdXWhBECsusJb[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Wli[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm1.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm4.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pgsfQZfg7Qt[1].dllJump to dropped file
                      Found Excel 4.0 Macro with suspicious formulas
                      Source: informe_30062022.xlsInitial sample: EXEC
                      Source: informe_30062022.xlsInitial sample: EXEC
                      Source: informe_30062022.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                      Source: C:\Users\user\Desktop\informe_30062022.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                      Source: C:\Users\user\AppData\Local\Temp\~DFE0F93AF5A2719FD8.TMP, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                      Source: C:\Windows\System32\regsvr32.exeFile deleted: C:\Windows\System32\PjLQNSdPqGYpJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\FkxtdJN\Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800064843_2_0000000180006484
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800016A83_2_00000001800016A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000D1F83_2_000000018000D1F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000E2183_2_000000018000E218
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000DE683_2_000000018000DE68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000FA883_2_000000018000FA88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000F1203_2_000000018000F120
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800103603_2_0000000180010360
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000AFD43_2_000000018000AFD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_001400003_2_00140000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02167E283_2_02167E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216B6BC3_2_0216B6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02145B183_2_02145B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215EB083_2_0215EB08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02158B3C3_2_02158B3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02151B883_2_02151B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021574143_2_02157414
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215A8043_2_0215A804
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214CCC83_2_0214CCC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215BD643_2_0215BD64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021532103_2_02153210
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021536103_2_02153610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215F61C3_2_0215F61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02153E183_2_02153E18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02162E043_2_02162E04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02165E303_2_02165E30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215F2383_2_0215F238
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021626383_2_02162638
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215D6203_2_0215D620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215762C3_2_0215762C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214E2543_2_0214E254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215D2543_2_0215D254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215EE5C3_2_0215EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214FE583_2_0214FE58
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02169A403_2_02169A40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214F2903_2_0214F290
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216BE903_2_0216BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02143A9C3_2_02143A9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216369C3_2_0216369C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214B6983_2_0214B698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021466983_2_02146698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021506803_2_02150680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021546B43_2_021546B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214B2BC3_2_0214B2BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021676A43_2_021676A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021616A83_2_021616A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214FAD03_2_0214FAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02160AC43_2_02160AC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02159EC03_2_02159EC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02164EF43_2_02164EF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021612FC3_2_021612FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02162AFC3_2_02162AFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02142AE43_2_02142AE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021472E03_2_021472E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021436E03_2_021436E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02161AE03_2_02161AE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02168EE83_2_02168EE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216A3043_2_0216A304
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021633043_2_02163304
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214D3003_2_0214D300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021427083_2_02142708
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021643303_2_02164330
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02162F3C3_2_02162F3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02166F3C3_2_02166F3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021537243_2_02153724
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02157B243_2_02157B24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215C7203_2_0215C720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021597203_2_02159720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216632C3_2_0216632C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02168B283_2_02168B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02148F5C3_2_02148F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02143F403_2_02143F40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02166B403_2_02166B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214DB743_2_0214DB74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215F7643_2_0215F764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02150B603_2_02150B60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214CB6C3_2_0214CB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021413683_2_02141368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021543683_2_02154368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02152F943_2_02152F94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02147BB43_2_02147BB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02153BB43_2_02153BB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215E7A43_2_0215E7A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021527A43_2_021527A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021493AC3_2_021493AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215EFAC3_2_0215EFAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021607D03_2_021607D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215ABD83_2_0215ABD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214DFCC3_2_0214DFCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214EFCC3_2_0214EFCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021613FC3_2_021613FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214AFE43_2_0214AFE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214B3E43_2_0214B3E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021593E03_2_021593E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021410143_2_02141014
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021564183_2_02156418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214BC083_2_0214BC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215A4083_2_0215A408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02157C303_2_02157C30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021428203_2_02142820
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021640203_2_02164020
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215B0283_2_0215B028
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214F8503_2_0214F850
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02155C503_2_02155C50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214C4583_2_0214C458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215484C3_2_0215484C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216344C3_2_0216344C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021448483_2_02144848
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02162C483_2_02162C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215FC703_2_0215FC70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021440783_2_02144078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02144C643_2_02144C64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215406C3_2_0215406C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02150C683_2_02150C68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02160C683_2_02160C68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021638943_2_02163894
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021454843_2_02145484
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216A0883_2_0216A088
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021430BC3_2_021430BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021514A03_2_021514A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02147CAC3_2_02147CAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215E4A83_2_0215E4A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021490D43_2_021490D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215D4D03_2_0215D4D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021684DC3_2_021684DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021578C43_2_021578C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215C8C03_2_0215C8C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214B0F83_2_0214B0F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021524E43_2_021524E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02148CE03_2_02148CE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215ACEC3_2_0215ACEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216B0EC3_2_0216B0EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02143CE83_2_02143CE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021561103_2_02156110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02153D1C3_2_02153D1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021649183_2_02164918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215A1303_2_0215A130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216093C3_2_0216093C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214BD243_2_0214BD24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216BD203_2_0216BD20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021665203_2_02166520
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214D92C3_2_0214D92C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02161D2C3_2_02161D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02159D5C3_2_02159D5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216155C3_2_0216155C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215B5583_2_0215B558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021571443_2_02157144
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021449483_2_02144948
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216B5703_2_0216B570
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021569783_2_02156978
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021505783_2_02150578
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0216796C3_2_0216796C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021545943_2_02154594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021565943_2_02156594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021689903_2_02168990
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021451983_2_02145198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214ED843_2_0214ED84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214F5803_2_0214F580
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02157DB03_2_02157DB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021529BC3_2_021529BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02160DBC3_2_02160DBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215C5AC3_2_0215C5AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021441A83_2_021441A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0214B1A83_2_0214B1A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02169DA83_2_02169DA8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02163DD43_2_02163DD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021425D83_2_021425D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215D9C43_2_0215D9C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02142DC03_2_02142DC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021599F43_2_021599F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_021431F03_2_021431F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215C9F03_2_0215C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005018544_2_00501854
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005126544_2_00512654
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005072444_2_00507244
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050C8704_2_0050C870
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005086104_2_00508610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005081184_2_00508118
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051D7044_2_0051D704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051ABDC4_2_0051ABDC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050CDE04_2_0050CDE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005031E44_2_005031E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005015EC4_2_005015EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050F98C4_2_0050F98C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050CC504_2_0050CC50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00506E504_2_00506E50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005194544_2_00519454
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005114584_2_00511458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00512C5C4_2_00512C5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00511C484_2_00511C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051D44C4_2_0051D44C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050AC744_2_0050AC74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051B8744_2_0051B874
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A47C4_2_0051A47C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00502C684_2_00502C68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050EE684_2_0050EE68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005070104_2_00507010
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005056144_2_00505614
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00519C1C4_2_00519C1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051D2044_2_0051D204
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005158304_2_00515830
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005152384_2_00515238
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00514E2C4_2_00514E2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00502AD04_2_00502AD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005092D04_2_005092D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005182D84_2_005182D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00513CC04_2_00513CC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005150C04_2_005150C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005054C44_2_005054C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050E8C44_2_0050E8C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00517EC84_2_00517EC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050EAF44_2_0050EAF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050DCE84_2_0050DCE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051C0E84_2_0051C0E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005156E84_2_005156E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005122EC4_2_005122EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050A2904_2_0050A290
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00513E984_2_00513E98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051129C4_2_0051129C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050AA844_2_0050AA84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00510A884_2_00510A88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A08C4_2_0051A08C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051788C4_2_0051788C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005172B44_2_005172B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050D6B84_2_0050D6B8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050D4BC4_2_0050D4BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050C6A04_2_0050C6A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050D2A04_2_0050D2A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005148A04_2_005148A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051C2A84_2_0051C2A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005029504_2_00502950
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050E55C4_2_0050E55C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005013404_2_00501340
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00503F444_2_00503F44
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005057444_2_00505744
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00503B484_2_00503B48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005095484_2_00509548
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051254C4_2_0051254C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050AF704_2_0050AF70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00502D784_2_00502D78
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A5784_2_0051A578
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00511D7C4_2_00511D7C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051777C4_2_0051777C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005133644_2_00513364
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005065684_2_00506568
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005109684_2_00510968
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051156C4_2_0051156C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005193104_2_00519310
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00514D144_2_00514D14
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00517D1C4_2_00517D1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050E7044_2_0050E704
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050B1044_2_0050B104
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050A1084_2_0050A108
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050DF084_2_0050DF08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050BB0C4_2_0050BB0C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051CB344_2_0051CB34
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051B7344_2_0051B734
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005171204_2_00517120
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005099244_2_00509924
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005143284_2_00514328
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051D3284_2_0051D328
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050692C4_2_0050692C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005107D04_2_005107D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051EDD44_2_0051EDD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A9DC4_2_0051A9DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005011C04_2_005011C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005175C44_2_005175C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00515BCC4_2_00515BCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050B5F84_2_0050B5F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005141FC4_2_005141FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005135E04_2_005135E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005181E04_2_005181E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005131E44_2_005131E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050DDE84_2_0050DDE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A7E84_2_0051A7E8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00516FEC4_2_00516FEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051A1EC4_2_0051A1EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050DB984_2_0050DB98
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00509B804_2_00509B80
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005179884_2_00517988
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050B38C4_2_0050B38C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051E5B04_2_0051E5B0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005145B44_2_005145B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051E7B44_2_0051E7B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00519DB44_2_00519DB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0051BFBC4_2_0051BFBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_005189A44_2_005189A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00518FA44_2_00518FA4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00504FA84_2_00504FA8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0050F5AC4_2_0050F5AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_001300004_2_00130000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00287E284_2_00287E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027B0284_2_0027B028
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027A8044_2_0027A804
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027A4084_2_0027A408
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027406C4_2_0027406C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026F8504_2_0026F850
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00267CAC4_2_00267CAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002838944_2_00283894
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C8C04_2_0027C8C0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00281D2C4_2_00281D2C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00282F3C4_2_00282F3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002843304_2_00284330
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00278B3C4_2_00278B3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028A3044_2_0028A304
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002761104_2_00276110
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00265B184_2_00265B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027BD644_2_0027BD64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002613684_2_00261368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002743684_2_00274368
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027E7A44_2_0027E7A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002641A84_2_002641A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00277FEC4_2_00277FEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C9F04_2_0027C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002628204_2_00262820
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027D6204_2_0027D620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002840204_2_00284020
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027762C4_2_0027762C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002826384_2_00282638
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00277C304_2_00277C30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00285E304_2_00285E30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027F2384_2_0027F238
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00282E044_2_00282E04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026BC084_2_0026BC08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002610144_2_00261014
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002774144_2_00277414
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002732104_2_00273210
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002736104_2_00273610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027F61C4_2_0027F61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002764184_2_00276418
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00273E184_2_00273E18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00280C684_2_00280C68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00264C644_2_00264C64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00270C684_2_00270C68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027FC704_2_0027FC70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002640784_2_00264078
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00282C484_2_00282C48
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028344C4_2_0028344C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00289A404_2_00289A40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027484C4_2_0027484C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002648484_2_00264848
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026E2544_2_0026E254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027D2544_2_0027D254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00275C504_2_00275C50
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027EE5C4_2_0027EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026FE584_2_0026FE58
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026C4584_2_0026C458
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002816A84_2_002816A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002714A04_2_002714A0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002876A44_2_002876A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027E4A84_2_0027E4A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002746B44_2_002746B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028B6BC4_2_0028B6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002630BC4_2_002630BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026B2BC4_2_0026B2BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028A0884_2_0028A088
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002654844_2_00265484
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002706804_2_00270680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028369C4_2_0028369C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026F2904_2_0026F290
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028BE904_2_0028BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00263A9C4_2_00263A9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002666984_2_00266698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026B6984_2_0026B698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00288EE84_2_00288EE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00262AE44_2_00262AE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002724E44_2_002724E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028B0EC4_2_0028B0EC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002636E04_2_002636E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002672E04_2_002672E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00268CE04_2_00268CE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00281AE04_2_00281AE0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027ACEC4_2_0027ACEC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00263CE84_2_00263CE8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002812FC4_2_002812FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00282AFC4_2_00282AFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00284EF44_2_00284EF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026B0F84_2_0026B0F8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002778C44_2_002778C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00279EC04_2_00279EC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00280AC44_2_00280AC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026CCC84_2_0026CCC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002690D44_2_002690D4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002884DC4_2_002884DC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026FAD04_2_0026FAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027D4D04_2_0027D4D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00288B284_2_00288B28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026BD244_2_0026BD24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002737244_2_00273724
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00277B244_2_00277B24
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028632C4_2_0028632C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C7204_2_0027C720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002797204_2_00279720
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028BD204_2_0028BD20
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002865204_2_00286520
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026D92C4_2_0026D92C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028093C4_2_0028093C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00286F3C4_2_00286F3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027A1304_2_0027A130
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026D3004_2_0026D300
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002833044_2_00283304
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002627084_2_00262708
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027EB084_2_0027EB08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002849184_2_00284918
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00273D1C4_2_00273D1C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027F7644_2_0027F764
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028796C4_2_0028796C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00270B604_2_00270B60
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026CB6C4_2_0026CB6C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026DB744_2_0026DB74
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028B5704_2_0028B570
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002769784_2_00276978
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002705784_2_00270578
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002771444_2_00277144
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00263F404_2_00263F40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00286B404_2_00286B40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002649484_2_00264948
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0028155C4_2_0028155C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00268F5C4_2_00268F5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00279D5C4_2_00279D5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027B5584_2_0027B558
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00289DA84_2_00289DA8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002727A44_2_002727A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002693AC4_2_002693AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C5AC4_2_0027C5AC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027EFAC4_2_0027EFAC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026B1A84_2_0026B1A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00267BB44_2_00267BB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00273BB44_2_00273BB4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00280DBC4_2_00280DBC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00277DB04_2_00277DB0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002729BC4_2_002729BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026ED844_2_0026ED84
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026F5804_2_0026F580
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00271B884_2_00271B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00272F944_2_00272F94
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002745944_2_00274594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002765944_2_00276594
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002889904_2_00288990
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002651984_2_00265198
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026AFE44_2_0026AFE4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026B3E44_2_0026B3E4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002793E04_2_002793E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002799F44_2_002799F4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002813FC4_2_002813FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002631F04_2_002631F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027D9C44_2_0027D9C4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00262DC04_2_00262DC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026DFCC4_2_0026DFCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0026EFCC4_2_0026EFCC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002807D04_2_002807D0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_00283DD44_2_00283DD4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_002625D84_2_002625D8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027ABD84_2_0027ABD8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_001D00005_2_001D0000
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02137E285_2_02137E28
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0213B6BC5_2_0213B6BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02115B185_2_02115B18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212EB085_2_0212EB08
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02128B3C5_2_02128B3C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02121B885_2_02121B88
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021274145_2_02127414
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212A8045_2_0212A804
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212FC705_2_0212FC70
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211CCC85_2_0211CCC8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212BD645_2_0212BD64
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021232105_2_02123210
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021236105_2_02123610
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02123E185_2_02123E18
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212F61C5_2_0212F61C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02132E045_2_02132E04
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02135E305_2_02135E30
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212F2385_2_0212F238
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021326385_2_02132638
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212D6205_2_0212D620
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212762C5_2_0212762C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211E2545_2_0211E254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212D2545_2_0212D254
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211FE585_2_0211FE58
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0212EE5C5_2_0212EE5C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02139A405_2_02139A40
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211F2905_2_0211F290
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0213BE905_2_0213BE90
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211B6985_2_0211B698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021166985_2_02116698
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02113A9C5_2_02113A9C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0213369C5_2_0213369C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021206805_2_02120680
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021246B45_2_021246B4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211B2BC5_2_0211B2BC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021376A45_2_021376A4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021316A85_2_021316A8
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_0211FAD05_2_0211FAD0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02129EC05_2_02129EC0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02130AC45_2_02130AC4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02134EF45_2_02134EF4
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021312FC5_2_021312FC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02132AFC5_2_02132AFC
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021172E05_2_021172E0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_021136E05_2_021136E0
                      Source: informe_30062022.xlsVirustotal: Detection: 58%
                      Source: informe_30062022.xlsMetadefender: Detection: 36%
                      Source: informe_30062022.xlsReversingLabs: Detection: 57%
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll"
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PjLQNSdPqGYp\jncSJNcDE.dll"
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YttRusg\GisEpTWmOuS.dll"
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll"
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocxJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PjLQNSdPqGYp\jncSJNcDE.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YttRusg\GisEpTWmOuS.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm1.ocxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR4E1F.tmpJump to behavior
                      Source: FA4F.tmp.6.drBinary string: Boot Device: \Device\HarddiskVolume1
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@30/27@4/6
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800016A8 CoInitialize,RtlAllocateHeap,CoTaskMemFree,VirtualAlloc,ShowWindow,CoInitialize,CoCreateInstance,CoUninitialize,MessageBoxA,3_2_00000001800016A8
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: informe_30062022.xlsOLE indicator, Workbook stream: true
                      Source: informe_30062022.xls.0.drOLE indicator, Workbook stream: true
                      Source: ~DFE0F93AF5A2719FD8.TMP.0.drOLE indicator, Workbook stream: true
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0215A804 Process32FirstW,CreateToolhelp32Snapshot,Process32NextW,CloseHandle,3_2_0215A804
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: informe_30062022.xlsInitial sample: OLE indicators vbamacros = False
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_02148C72 push ebp; ret 3_2_02148C7D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 5_2_02118C72 push ebp; ret 5_2_02118C7D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 8_2_00288C72 push ebp; ret 8_2_00288C7D
                      Source: C:\Windows\System32\regsvr32.exeCode function: 10_2_020E8C72 push ebp; ret 10_2_020E8C7D
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll"

                      Persistence and Installation Behavior

                      barindex
                      Uses ipconfig to lookup or modify the Windows network settings
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LEPqPJpt4Gbr8BHAn[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm3.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm2.ocxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\PjLQNSdPqGYp\jncSJNcDE.dll (copy)Jump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\FkxtdJN\mBcpRLOoPTlB.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zz64mUdXWhBECsusJb[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Wli[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm1.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm4.ocxJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\YttRusg\GisEpTWmOuS.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pgsfQZfg7Qt[1].dllJump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll (copy)Jump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\PjLQNSdPqGYp\jncSJNcDE.dll (copy)Jump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\FkxtdJN\mBcpRLOoPTlB.dll (copy)Jump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\YttRusg\GisEpTWmOuS.dll (copy)Jump to dropped file
                      Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll (copy)Jump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm3.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm2.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm1.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm4.ocxJump to dropped file

                      Boot Survival

                      barindex
                      Drops PE files to the user root directory
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm3.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm2.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm1.ocxJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\sctm4.ocxJump to dropped file

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\PjLQNSdPqGYp\jncSJNcDE.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\YttRusg\GisEpTWmOuS.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006484 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_0000000180006484
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
                      Source: C:\Windows\System32\regsvr32.exe TID: 2496Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 2656Thread sleep time: -300000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 2076Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 2616Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 2592Thread sleep time: -180000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 1364Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 2640Thread sleep time: -60000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\regsvr32.exe TID: 1216Thread sleep time: -300000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\ipconfig.exe TID: 1260Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\System32\ipconfig.exe TID: 2772Thread sleep time: -120000s >= -30000s
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumServicesStatusExW,3_2_0215DD40
                      Source: C:\Windows\System32\regsvr32.exeCode function: EnumServicesStatusExW,5_2_0212DD40
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\LEPqPJpt4Gbr8BHAn[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\zz64mUdXWhBECsusJb[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Wli[1].dllJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pgsfQZfg7Qt[1].dllJump to dropped file
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_0027C9F0 FindFirstFileW,FindNextFileW,4_2_0027C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 6_2_0215C9F0 FindFirstFileW,FindNextFileW,6_2_0215C9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 9_2_020EC9F0 FindFirstFileW,FindNextFileW,9_2_020EC9F0
                      Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0029C9F0 FindFirstFileW,FindNextFileW,11_2_0029C9F0
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: regsvr32.exe, 00000006.00000002.1145651291.0000000000412000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007A68 __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,3_2_0000000180007A68
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000EB10 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_000000018000EB10
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000671C GetProcessHeap,3_2_000000018000671C
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000766C SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_000000018000766C

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      System process connects to network (likely due to code injection or exploit)
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 174.138.33.49 7080Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 180.250.21.2 443Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\FkxtdJN\mBcpRLOoPTlB.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\PjLQNSdPqGYp\jncSJNcDE.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfoJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /allJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\nltest.exe nltest /dclist:Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YttRusg\GisEpTWmOuS.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QzcjqbzQKbaqqJI\jmihwBcHbqy.dll"Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006EDC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_0000000180006EDC

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Emotet
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.500000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.21a0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.regsvr32.exe.37531c8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.regsvr32.exe.37531c8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.20b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.regsvr32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.500000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.20e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.regsvr32.exe.20b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.regsvr32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2070000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.3581b30.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.21a0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.regsvr32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.regsvr32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.3581b30.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.35600f8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.3.regsvr32.exe.35600f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.regsvr32.exe.2070000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.regsvr32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.regsvr32.exe.20e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.1145826810.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212546662.0000000002070000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212794777.0000000000500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.922476123.0000000002111000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1212495449.0000000000281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.922324576.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.1212616896.00000000020D1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212485334.0000000000261000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984306856.0000000003671000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.1144792947.00000000021A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.928931752.0000000000210000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.981015029.0000000003541000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984624100.0000000003736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.1212368524.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.928977615.0000000000281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1212376414.0000000000140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000003.981139905.0000000003582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.941076199.00000000020E1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.909936865.0000000002141000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.940219777.0000000000240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1145771957.00000000020E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.984499206.0000000003735000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.909786385.00000000003C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts211
                      Windows Management Instrumentation                      		Path Interception111
                      Process Injection                      		1
                      Disable or Modify Tools                      		OS Credential Dumping1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		Exfiltration Over Other Network Medium3
                      Ingress Tool Transfer                      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default Accounts2
                      Scripting                      		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
                      Scripting                      		LSASS Memory1
                      System Service Discovery                      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth21
                      Encrypted Channel                      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain Accounts43
                      Exploitation for Client Execution                      		Logon Script (Windows)Logon Script (Windows)1
                      Obfuscated Files or Information                      		Security Account Manager2
                      File and Directory Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                      Non-Standard Port                      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                      File Deletion                      		NTDS117
                      System Information Discovery                      		Distributed Component Object ModelInput CaptureScheduled Transfer3
                      Non-Application Layer Protocol                      		SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script131
                      Masquerading                      		LSA Secrets141
                      Security Software Discovery                      		SSHKeyloggingData Transfer Size Limits14
                      Application Layer Protocol                      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.common12
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials12
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                      Process Injection                      		DCSync2
                      Process Discovery                      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                      Hidden Files and Directories                      		Proc Filesystem1
                      Remote System Discovery                      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                      Regsvr32                      		/etc/passwd and /etc/shadow1
                      System Network Configuration Discovery                      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 655637 Sample: informe_30062022.xls Startdate: 01/07/2022 Architecture: WINDOWS Score: 100 78 Snort IDS alert for network traffic 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Antivirus detection for URL or domain 2->82 84 9 other signatures 2->84 8 EXCEL.EXE 33 29 2->8         started        13 svchost.exe 2->13         started        process3 dnsIp4 64 hepsisifa.com 213.128.75.146, 443, 49172 RADORETR Turkey 8->64 66 komunitas.blog.gunadarma.ac.id 118.98.72.14, 443, 49174 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 8->66 68 3 other IPs or domains 8->68 48 C:\Users\user\sctm4.ocx, PE32+ 8->48 dropped 50 C:\Users\user\sctm3.ocx, PE32+ 8->50 dropped 52 C:\Users\user\sctm2.ocx, PE32+ 8->52 dropped 54 6 other malicious files 8->54 dropped 90 Document exploit detected (creates forbidden files) 8->90 92 Document exploit detected (UrlDownloadToFile) 8->92 15 regsvr32.exe 2 8->15         started        19 regsvr32.exe 2 8->19         started        21 regsvr32.exe 2 8->21         started        23 regsvr32.exe 2 8->23         started        file5 signatures6 process7 file8 56 C:\Windows\...\mBcpRLOoPTlB.dll (copy), PE32+ 15->56 dropped 74 Uses ipconfig to lookup or modify the Windows network settings 15->74 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->76 25 regsvr32.exe 14 15->25         started        58 C:\Windows\System32\...\jncSJNcDE.dll (copy), PE32+ 19->58 dropped 28 regsvr32.exe 14 19->28         started        60 C:\Windows\...\jmihwBcHbqy.dll (copy), PE32+ 21->60 dropped 31 regsvr32.exe 21->31         started        62 C:\Windows\...behaviorgraphisEpTWmOuS.dll (copy), PE32+ 23->62 dropped 33 regsvr32.exe 23->33         started        signatures9 process10 dnsIp11 70 180.250.21.2, 443, 49181, 49182 TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID Indonesia 25->70 72 174.138.33.49, 49175, 49177, 49178 DIGITALOCEAN-ASNUS United States 25->72 35 systeminfo.exe 25->35         started        38 ipconfig.exe 25->38         started        40 nltest.exe 25->40         started        94 System process connects to network (likely due to code injection or exploit) 28->94 42 systeminfo.exe 28->42         started        44 ipconfig.exe 28->44         started        46 nltest.exe 28->46         started        signatures12 process13 signatures14 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->88

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.