Windows Analysis Report
Insight_Medical_Publishing_3.one

Overview

General Information

Sample Name: Insight_Medical_Publishing_3.one
Analysis ID: 828495
MD5: 0d8f675a79a32d286f8eccb2ff989c91
SHA1: e0796075d09841386c12f37503495c9624a3c393
SHA256: 7ef31d3538810c895812e331db91f905693b99b682d062d9d0b4dab5df0da0a2
Tags: one
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Insight_Medical_Publishing_3.one ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing_3.one Virustotal: Detection: 41% Perma Link
Antivirus detection for URL or domain
Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/# Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/ Avira URL Cloud: Label: malware
Source: https://159.89.202.34/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/l Avira URL Cloud: Label: malware
Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000 Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/mwollpl/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/ Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/7 Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/ Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM Avira URL Cloud: Label: malware
Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/8 Avira URL Cloud: Label: malware
Source: https://159.89.202.34/I Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01 Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_ Avira URL Cloud: Label: malware
Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/3 Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: penshorn.org Virustotal: Detection: 10% Perma Link
Source: https://159.89.202.34/ Virustotal: Detection: 18% Perma Link
Source: http://softwareulike.com/cWIYxWMPkK/ Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll ReversingLabs: Detection: 58%
Source: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy) ReversingLabs: Detection: 58%
Source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OWVpqQATAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2gGXgqQAuAJA="]}
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2
Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180008D28 FindFirstFileExW, 11_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49687 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49684 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49686 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49689 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49694 -> 104.168.155.143:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49684 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.3:49686 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.3:49689 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.3:49694 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.3:49695 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.3:49696 -> 160.16.142.56:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49683
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49683 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: wscript.exe, 00000009.00000003.352083171.000000000543B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.000000000543C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/U
Source: regsvr32.exe, 0000000C.00000003.423585505.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8018d46f033f9
Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxW
Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345755235.0000000005160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/7
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.89.202.34/
Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.89.202.34/I
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h
Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/3
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/8
Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/l
Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/mwollpl/
Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#
Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT
Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB
Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n
Source: regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/
Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x
Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.172.199.165:8080/
Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01
Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_
Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 0000000C.00000003.421394475.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000
Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000009.00000003.349639269.000000000538E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349867697.0000000005396000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349438794.0000000005384000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349093361.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349339319.000000000537A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://pe2.162.143.56/
Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350000568.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354012857.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350249586.0000000004B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350180272.0000000004B29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 00000009.00000003.347225816.00000000050AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFb
Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j
Source: wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349571912.00000000053A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343189350.0000000004FAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347462886.00000000051C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343401747.0000000005065000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: unknown HTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara signature match
Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\ZLTlFkhzfcDaCjB\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180006818 11_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_000000018000B878 11_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180007110 11_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180008D28 11_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180014555 11_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00EF0000 11_2_00EF0000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5709C 11_2_00F5709C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4CC14 11_2_00F4CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5A000 11_2_00F5A000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F47D6C 11_2_00F47D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4263C 11_2_00F4263C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F48BC8 11_2_00F48BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F58FC8 11_2_00F58FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F43CF4 11_2_00F43CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F448FC 11_2_00F448FC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F490F8 11_2_00F490F8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F520E0 11_2_00F520E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F414D4 11_2_00F414D4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F53CD4 11_2_00F53CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F418DC 11_2_00F418DC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4F8C4 11_2_00F4F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F55CC4 11_2_00F55CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F480CC 11_2_00F480CC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F508CC 11_2_00F508CC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5A8B0 11_2_00F5A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F694BC 11_2_00F694BC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4DCB8 11_2_00F4DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F498AC 11_2_00F498AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4AC94 11_2_00F4AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F44C84 11_2_00F44C84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5CC84 11_2_00F5CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F55880 11_2_00F55880
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4D474 11_2_00F4D474
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F56C70 11_2_00F56C70
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4B07C 11_2_00F4B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F42C78 11_2_00F42C78
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4C078 11_2_00F4C078
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5B460 11_2_00F5B460
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F65450 11_2_00F65450
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5C058 11_2_00F5C058
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F47840 11_2_00F47840
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5C44C 11_2_00F5C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F51030 11_2_00F51030
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5EC30 11_2_00F5EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4B83C 11_2_00F4B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F6181C 11_2_00F6181C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F41000 11_2_00F41000
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F49408 11_2_00F49408
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F47C08 11_2_00F47C08
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5D5F0 11_2_00F5D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F515C8 11_2_00F515C8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F495BC 11_2_00F495BC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5BDA0 11_2_00F5BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F47530 11_2_00F47530
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5B130 11_2_00F5B130
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F46138 11_2_00F46138
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F51924 11_2_00F51924
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F54D20 11_2_00F54D20
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5AD28 11_2_00F5AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F69910 11_2_00F69910
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57518 11_2_00F57518
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F68500 11_2_00F68500
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5610C 11_2_00F5610C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F492F0 11_2_00F492F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F596D4 11_2_00F596D4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5EAC0 11_2_00F5EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4D6CC 11_2_00F4D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F43ABC 11_2_00F43ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5A6BC 11_2_00F5A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4AAB8 11_2_00F4AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F44EB8 11_2_00F44EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4BE90 11_2_00F4BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F54A90 11_2_00F54A90
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F48A8C 11_2_00F48A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F64E8C 11_2_00F64E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F43274 11_2_00F43274
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F50A70 11_2_00F50A70
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4A660 11_2_00F4A660
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4F65C 11_2_00F4F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4B258 11_2_00F4B258
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5A244 11_2_00F5A244
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4BA2C 11_2_00F4BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F58A2C 11_2_00F58A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F50E2C 11_2_00F50E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5662C 11_2_00F5662C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F44214 11_2_00F44214
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4461C 11_2_00F4461C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F55A00 11_2_00F55A00
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F68A00 11_2_00F68A00
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F43E0C 11_2_00F43E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5020C 11_2_00F5020C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F58E08 11_2_00F58E08
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4A7F0 11_2_00F4A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F627EC 11_2_00F627EC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F42FD4 11_2_00F42FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F433D4 11_2_00F433D4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F53FD0 11_2_00F53FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F597CC 11_2_00F597CC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F48FB0 11_2_00F48FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4FFB8 11_2_00F4FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F58BB8 11_2_00F58BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4DBA0 11_2_00F4DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F41B94 11_2_00F41B94
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F55384 11_2_00F55384
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5D770 11_2_00F5D770
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5CF70 11_2_00F5CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4F77C 11_2_00F4F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F48378 11_2_00F48378
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5E750 11_2_00F5E750
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4975C 11_2_00F4975C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F44758 11_2_00F44758
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4D33C 11_2_00F4D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4EF14 11_2_00F4EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F53B14 11_2_00F53B14
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5E310 11_2_00F5E310
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F54F18 11_2_00F54F18
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01210000 12_2_01210000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B276A8 12_2_02B276A8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B30618 12_2_02B30618
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B16E42 12_2_02B16E42
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B373A4 12_2_02B373A4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B163F4 12_2_02B163F4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B23FD0 12_2_02B23FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B18BC8 12_2_02B18BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B28FC8 12_2_02B28FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B19B79 12_2_02B19B79
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B208CC 12_2_02B208CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1CC14 12_2_02B1CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1640A 12_2_02B1640A
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B17D6C 12_2_02B17D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B32AB0 12_2_02B32AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1AAB8 12_2_02B1AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B14EB8 12_2_02B14EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B13ABC 12_2_02B13ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2A6BC 12_2_02B2A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1BE90 12_2_02B1BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B24A90 12_2_02B24A90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B32E84 12_2_02B32E84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B18A8C 12_2_02B18A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B34E8C 12_2_02B34E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B192F0 12_2_02B192F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B336FC 12_2_02B336FC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B296D4 12_2_02B296D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2EAC0 12_2_02B2EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1D6CC 12_2_02B1D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1263C 12_2_02B1263C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1BA2C 12_2_02B1BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B28A2C 12_2_02B28A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B20E2C 12_2_02B20E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2662C 12_2_02B2662C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B14214 12_2_02B14214
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1461C 12_2_02B1461C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B25A00 12_2_02B25A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B38A00 12_2_02B38A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B28E08 12_2_02B28E08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B13E0C 12_2_02B13E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2020C 12_2_02B2020C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B20A70 12_2_02B20A70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B13274 12_2_02B13274
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1A660 12_2_02B1A660
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1B258 12_2_02B1B258
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1F65C 12_2_02B1F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2A244 12_2_02B2A244
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B36E48 12_2_02B36E48
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B18FB0 12_2_02B18FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1FFB8 12_2_02B1FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B28BB8 12_2_02B28BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1DBA0 12_2_02B1DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B347A8 12_2_02B347A8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B11B94 12_2_02B11B94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B25384 12_2_02B25384
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1A7F0 12_2_02B1A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2FFFC 12_2_02B2FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B327EC 12_2_02B327EC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B12FD4 12_2_02B12FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B133D4 12_2_02B133D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B297CC 12_2_02B297CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1D33C 12_2_02B1D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2E310 12_2_02B2E310
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B38310 12_2_02B38310
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1EF14 12_2_02B1EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B23B14 12_2_02B23B14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B24F18 12_2_02B24F18
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B35B1C 12_2_02B35B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2D770 12_2_02B2D770
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2CF70 12_2_02B2CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B18378 12_2_02B18378
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1F77C 12_2_02B1F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B38B68 12_2_02B38B68
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2E750 12_2_02B2E750
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B14758 12_2_02B14758
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1975C 12_2_02B1975C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2A8B0 12_2_02B2A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1DCB8 12_2_02B1DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B394BC 12_2_02B394BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B344A8 12_2_02B344A8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B198AC 12_2_02B198AC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1AC94 12_2_02B1AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B31494 12_2_02B31494
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2709C 12_2_02B2709C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B25880 12_2_02B25880
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B14C84 12_2_02B14C84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2CC84 12_2_02B2CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B3488C 12_2_02B3488C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B13CF4 12_2_02B13CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B190F8 12_2_02B190F8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B148FC 12_2_02B148FC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B220E0 12_2_02B220E0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B114D4 12_2_02B114D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B23CD4 12_2_02B23CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B31CD4 12_2_02B31CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B118DC 12_2_02B118DC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1F8C4 12_2_02B1F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B25CC4 12_2_02B25CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B180CC 12_2_02B180CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B21030 12_2_02B21030
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2EC30 12_2_02B2EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1B83C 12_2_02B1B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B17410 12_2_02B17410
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B3181C 12_2_02B3181C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B11000 12_2_02B11000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2A000 12_2_02B2A000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B19408 12_2_02B19408
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B17C08 12_2_02B17C08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B26C70 12_2_02B26C70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1D474 12_2_02B1D474
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B12C78 12_2_02B12C78
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1C078 12_2_02B1C078
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B1B07C 12_2_02B1B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2B460 12_2_02B2B460
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B35868 12_2_02B35868
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B35450 12_2_02B35450
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2C058 12_2_02B2C058
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B17840 12_2_02B17840
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2C44C 12_2_02B2C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B195BC 12_2_02B195BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2BDA0 12_2_02B2BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2D5F0 12_2_02B2D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B215C8 12_2_02B215C8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2B130 12_2_02B2B130
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B16138 12_2_02B16138
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B24D20 12_2_02B24D20
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B21924 12_2_02B21924
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2AD28 12_2_02B2AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B39910 12_2_02B39910
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B27518 12_2_02B27518
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B38500 12_2_02B38500
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B32100 12_2_02B32100
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2610C 12_2_02B2610C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B34D64 12_2_02B34D64
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 11_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 11_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 11_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
Source: Insight_Medical_Publishing_3.one ReversingLabs: Detection: 30%
Source: Insight_Medical_Publishing_3.one Virustotal: Detection: 41%
Source: C:\Windows\SysWOW64\wscript.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{FEEE3FA4-F7B3-4CCE-AC94-72B79C0B1135} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{1A5C047D-3D28-4AA6-A11A-87D0AFF6CFBA} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@9/11@1/49
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F48BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 11_2_00F48BC8
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180005C69 push rdi; ret 11_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00000001800056DD push rdi; ret 11_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4A0FC push ebp; iretd 11_2_00F4A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F580D7 push ebp; retf 11_2_00F580D8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F46CDE push esi; iretd 11_2_00F46CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F46C9F pushad ; ret 11_2_00F46CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4A1D2 push ebp; iretd 11_2_00F4A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57987 push ebp; iretd 11_2_00F5798F
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F58157 push ebp; retf 11_2_00F58158
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F49D51 push ebp; retf 11_2_00F49D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57D4E push ebp; iretd 11_2_00F57D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57D3C push ebp; retf 11_2_00F57D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57D25 push 4D8BFFFFh; retf 11_2_00F57D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F57EAF push 458BCC5Ah; retf 11_2_00F57EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F49E8B push eax; retf 11_2_00F49E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F4A26E push ebp; ret 11_2_00F4A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00F5C731 push esi; iretd 11_2_00F5C732
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B2C731 push esi; iretd 12_2_02B2C732
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B16C9F pushad ; ret 12_2_02B16CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B16CDE push esi; iretd 12_2_02B16CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_02B36D34 push edi; ret 12_2_02B36D36
PE file contains sections with non-standard names
Source: rad38C2A.tmp.dll.9.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
Drops PE files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy) Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 4956 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1540 Thread sleep time: -270000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.0 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180008D28 FindFirstFileExW, 11_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0P/
Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_000000018000A878 GetProcessHeap, 11_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 11_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00000001800070A0 cpuid 11_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 11_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing_3.one, type: SAMPLE
Yara detected Emotet
Source: Yara match File source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing_3.one, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828495 Sample: Insight_Medical_Publishing_3.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 36 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49683 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\rad38C2A.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\...behaviorgraphJcmgWEWTZrc.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49684, 8080 OVHFR France 23->41 43 8 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
penshorn.org 203.26.41.131 true
windowsupdatebg.s.llnwi.net 178.79.242.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ true
  • Avira URL Cloud: malware
 unknown
https://penshorn.org/admin/Ses8712iGR8du/ true
  • Avira URL Cloud: malware
 unknown