Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Insight_Medical_Publishing.one

Overview

General Information

Sample Name:Insight_Medical_Publishing.one
Analysis ID:828491
MD5:ff762b2f28c3bcaaabcc6f7656f92d50
SHA1:9448c2d43c1e7155a4003d513c95f42fd29a2b7f
SHA256:62ff7b52aeac2e32e59d8168cd55db1522de07833d476c8e26b36f40724bbebe
Tags:one
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ONENOTE.EXE (PID: 5812 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • wscript.exe (PID: 6076 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • regsvr32.exe (PID: 6140 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • regsvr32.exe (PID: 624 cmdline: "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
          • regsvr32.exe (PID: 3480 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5cZosrQAhAJI=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx285qirQAHAJQ="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Insight_Medical_Publishing.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Emotet_3Yara detected EmotetJoe Security
        00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
          • 0x1dde:$asp_gen_obf1: "+"
          • 0x1e0e:$asp_gen_obf1: "+"
          • 0xc82:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
          • 0x1bf2:$asp_input1: request
          • 0x1f2c:$asp_payload11: wscript.shell
          • 0x1b14:$asp_multi_payload_one1: createobject
          • 0x1c02:$asp_multi_payload_one1: createobject
          • 0x1c7a:$asp_multi_payload_one1: createobject
          • 0x1cd4:$asp_multi_payload_one1: createobject
          • 0x1f10:$asp_multi_payload_one1: createobject
          • 0x1b14:$asp_multi_payload_four1: createobject
          • 0x1c02:$asp_multi_payload_four1: createobject
          • 0x1c7a:$asp_multi_payload_four1: createobject
          • 0x1cd4:$asp_multi_payload_four1: createobject
          • 0x1f10:$asp_multi_payload_four1: createobject
          • 0x1b14:$asp_cr_write1: createobject(
          • 0x1c02:$asp_cr_write1: createobject(
          • 0x1c7a:$asp_cr_write1: createobject(
          • 0x1cd4:$asp_cr_write1: createobject(
          • 0x1f10:$asp_cr_write1: createobject(
          • 0xc82:$tagasp_capa_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
          00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.regsvr32.exe.2470000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              4.2.regsvr32.exe.2470000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                3.2.regsvr32.exe.700000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  3.2.regsvr32.exe.700000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

                    Sigma Signatures

                    Malware Analysis System Evasion

                    barindex
                    Sigma detected: Run temp file via regsvr32
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6076, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll, ProcessId: 6140, ProcessName: regsvr32.exe

                    Snort Signatures

                    Timestamp:192.168.2.4104.168.155.1434969680802404302 03/17/23-09:11:36.169787
                    SID:2404302
                    Source Port:49696
                    Destination Port:8080
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.491.121.146.474968680802404344 03/17/23-09:10:50.935597
                    SID:2404344
                    Source Port:49686
                    Destination Port:8080
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.4182.162.143.56496894432404312 03/17/23-09:11:04.665638
                    SID:2404312
                    Source Port:49689
                    Destination Port:443
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.466.228.32.314968870802404330 03/17/23-09:10:59.416914
                    SID:2404330
                    Source Port:49688
                    Destination Port:7080
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:192.168.2.4167.172.199.1654969180802404308 03/17/23-09:11:21.428977
                    SID:2404308
                    Source Port:49691
                    Destination Port:8080
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for submitted file
                    Source: Insight_Medical_Publishing.oneReversingLabs: Detection: 30%
                    Source: Insight_Medical_Publishing.oneVirustotal: Detection: 40%Perma Link
                    Antivirus detection for URL or domain
                    Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/DAvira URL Cloud: Label: malware
                    Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
                    Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
                    Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
                    Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
                    Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
                    Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0Avira URL Cloud: Label: malware
                    Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
                    Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
                    Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
                    Source: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
                    Source: https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
                    Source: https://163.44.196.120:8080/Avira URL Cloud: Label: malware
                    Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/DAvira URL Cloud: Label: malware
                    Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
                    Source: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Source: https://penshorn.org/admin/Ses8712iGR8du/:Avira URL Cloud: Label: malware
                    Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllGAvira URL Cloud: Label: malware
                    Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Avira URL Cloud: Label: malware
                    Source: https://163.44.196.120:8080/aAvira URL Cloud: Label: malware
                    Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
                    Source: https://www.gomespontes.com.br/logs/pd/RPROFINAvira URL Cloud: Label: malware
                    Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
                    Source: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
                    Source: https://www.gomespontes.com.br/logs/pd/RPROFIIAvira URL Cloud: Label: malware
                    Source: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllAvira URL Cloud: Label: malware
                    Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
                    Source: https://penshorn.org/admin/Ses8712iGR8du/o8Avira URL Cloud: Label: malware
                    Source: https://167.172.199.165:8080/&CAvira URL Cloud: Label: malware
                    Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
                    Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:Avira URL Cloud: Label: malware
                    Source: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(Avira URL Cloud: Label: malware
                    Source: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/Avira URL Cloud: Label: malware
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dllReversingLabs: Detection: 58%
                    Source: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)ReversingLabs: Detection: 58%
                    Source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5cZosrQAhAJI=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx285qirQAHAJQ="]}
                    Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2
                    Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
                    Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
                    Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                    Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49689 -> 182.162.143.56:443
                    Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49686 -> 91.121.146.47:8080
                    Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49688 -> 66.228.32.31:7080
                    Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49691 -> 167.172.199.165:8080
                    Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49696 -> 104.168.155.143:8080
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 91.121.146.47:8080
                    Source: Malware configuration extractorIPs: 66.228.32.31:7080
                    Source: Malware configuration extractorIPs: 182.162.143.56:443
                    Source: Malware configuration extractorIPs: 187.63.160.88:80
                    Source: Malware configuration extractorIPs: 167.172.199.165:8080
                    Source: Malware configuration extractorIPs: 164.90.222.65:443
                    Source: Malware configuration extractorIPs: 104.168.155.143:8080
                    Source: Malware configuration extractorIPs: 163.44.196.120:8080
                    Source: Malware configuration extractorIPs: 160.16.142.56:8080
                    Source: Malware configuration extractorIPs: 159.89.202.34:443
                    Source: Malware configuration extractorIPs: 159.65.88.10:8080
                    Source: Malware configuration extractorIPs: 186.194.240.217:443
                    Source: Malware configuration extractorIPs: 149.56.131.28:8080
                    Source: Malware configuration extractorIPs: 72.15.201.15:8080
                    Source: Malware configuration extractorIPs: 1.234.2.232:8080
                    Source: Malware configuration extractorIPs: 82.223.21.224:8080
                    Source: Malware configuration extractorIPs: 206.189.28.199:8080
                    Source: Malware configuration extractorIPs: 169.57.156.166:8080
                    Source: Malware configuration extractorIPs: 107.170.39.149:8080
                    Source: Malware configuration extractorIPs: 103.43.75.120:443
                    Source: Malware configuration extractorIPs: 91.207.28.33:8080
                    Source: Malware configuration extractorIPs: 213.239.212.5:443
                    Source: Malware configuration extractorIPs: 45.235.8.30:8080
                    Source: Malware configuration extractorIPs: 119.59.103.152:8080
                    Source: Malware configuration extractorIPs: 164.68.99.3:8080
                    Source: Malware configuration extractorIPs: 95.217.221.146:8080
                    Source: Malware configuration extractorIPs: 153.126.146.25:7080
                    Source: Malware configuration extractorIPs: 197.242.150.244:8080
                    Source: Malware configuration extractorIPs: 202.129.205.3:8080
                    Source: Malware configuration extractorIPs: 103.132.242.26:8080
                    Source: Malware configuration extractorIPs: 139.59.126.41:443
                    Source: Malware configuration extractorIPs: 110.232.117.186:8080
                    Source: Malware configuration extractorIPs: 183.111.227.137:8080
                    Source: Malware configuration extractorIPs: 5.135.159.50:443
                    Source: Malware configuration extractorIPs: 201.94.166.162:443
                    Source: Malware configuration extractorIPs: 103.75.201.2:443
                    Source: Malware configuration extractorIPs: 79.137.35.198:8080
                    Source: Malware configuration extractorIPs: 172.105.226.75:8080
                    Source: Malware configuration extractorIPs: 94.23.45.86:4143
                    Source: Malware configuration extractorIPs: 115.68.227.76:8080
                    Source: Malware configuration extractorIPs: 153.92.5.27:8080
                    Source: Malware configuration extractorIPs: 167.172.253.162:8080
                    Source: Malware configuration extractorIPs: 188.44.20.25:443
                    Source: Malware configuration extractorIPs: 147.139.166.154:8080
                    Source: Malware configuration extractorIPs: 129.232.188.93:443
                    Source: Malware configuration extractorIPs: 173.212.193.249:8080
                    Source: Malware configuration extractorIPs: 185.4.135.165:8080
                    Source: Malware configuration extractorIPs: 45.176.232.124:443
                    Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
                    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                    Source: global trafficHTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
                    Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
                    Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
                    Source: global trafficTCP traffic: 192.168.2.4:49686 -> 91.121.146.47:8080
                    Source: global trafficTCP traffic: 192.168.2.4:49688 -> 66.228.32.31:7080
                    Source: global trafficTCP traffic: 192.168.2.4:49691 -> 167.172.199.165:8080
                    Source: global trafficTCP traffic: 192.168.2.4:49696 -> 104.168.155.143:8080
                    Source: global trafficTCP traffic: 192.168.2.4:49697 -> 163.44.196.120:8080
                    Source: global trafficTCP traffic: 192.168.2.4:49698 -> 160.16.142.56:8080
                    Source: unknownNetwork traffic detected: IP country count 17
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                    Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
                    Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                    Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                    Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                    Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                    Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
                    Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                    Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/Low
                    Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488456435.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?36fdbbb7baea3
                    Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
                    Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
                    Source: wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405065761.000000000599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
                    Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
                    Source: regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633400839.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631327134.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/a
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/&C
                    Source: regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
                    Source: regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/
                    Source: regsvr32.exe, 00000004.00000003.487960749.0000000000C32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D
                    Source: wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreem
                    Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6
                    Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
                    Source: wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404821142.0000000005952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404992491.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
                    Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
                    Source: wscript.exe, 00000001.00000003.406246546.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410615490.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407565832.0000000005A30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/
                    Source: wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.00000000057EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401168303.000000000583C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054FC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407228406.00000000058EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.00000000055A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405042674.0000000005982000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396577821.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398739448.000000000565D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410425286.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396205174.00000000054E8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399332103.00000000056D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.000000000555C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403345800.0000000005872000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408199396.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398390395.0000000005657000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400913529.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
                    Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/:
                    Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410244672.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407529090.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/o8
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
                    Source: wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/l
                    Source: wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(
                    Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
                    Source: wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
                    Source: wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
                    Source: wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFII
                    Source: wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/RPROFIN
                    Source: wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
                    Source: unknownHTTP traffic detected: POST /jesecsgigcdk/zfgrij/wjhswvhm/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
                    Source: unknownDNS traffic detected: queries for: penshorn.org
                    Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
                    Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49685 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49689 version: TLS 1.2

                    E-Banking Fraud

                    barindex
                    Yara detected Emotet
                    Source: Yara matchFile source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\CRCPqQPgWxqcgJu\Jump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006818
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B878
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007110
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014555
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_006F0000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073CC14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074709C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737D6C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073263C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748FC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00746C70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D474
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732C78
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073C078
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B07C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B460
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00755450
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C058
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737840
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C44C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00741030
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EC30
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B83C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0075181C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00731000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739408
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737C08
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733CF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007390F8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007348FC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007420E0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743CD4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007314D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007318DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745CC4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F8C4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007408CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007380CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A8B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007594BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DCB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007398AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AC94
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CC84
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745880
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734C84
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737530
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B130
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736138
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00741924
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744D20
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074AD28
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00759910
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747518
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00758500
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074610C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D5F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007415C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007395BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074BDA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740A70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733274
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A660
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B258
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F65C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A244
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748A2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740E2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074662C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BA2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734214
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073461C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745A00
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00758A00
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074020C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748E08
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733E0C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007392F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007496D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EAC0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D6CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A6BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AAB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734EB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733ABC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BE90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744A90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00754E8C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738A8C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D770
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CF70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738378
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F77C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E750
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734758
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073975C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D33C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743B14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E310
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073EF14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744F18
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A7F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007527EC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743FD0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732FD4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007333D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007497CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738FB0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073FFB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748BB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DBA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00731B94
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745384
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_02460000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A6E42
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C0618
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B76A8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A9B79
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A8BC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B8FC8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B3FD0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A63F4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C73A4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A640A
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024ACC14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B08CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A7D6C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C6E48
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BA244
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AB258
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AF65C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AA660
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B0A70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A3274
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B8E08
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A3E0C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B020C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B5A00
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C8A00
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A461C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A4214
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024ABA2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B8A2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B0E2C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B662C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A263C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AD6CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BEAC0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B96D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C36FC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A92F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C4E8C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A8A8C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C2E84
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024ABE90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B4A90
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AAAB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A4EB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A3ABC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BA6BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C2AB0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A4758
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A975C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BE750
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C8B68
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A8378
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AF77C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BD770
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BCF70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C5B1C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B4F18
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BE310
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C8310
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AEF14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B3B14
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AD33C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B97CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A2FD4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A33D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C27EC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BFFFC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AA7F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B5384
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A1B94
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C47A8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024ADBA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AFFB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B8BB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A8FB0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BC44C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A7840
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BC058
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C5450
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C5868
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BB460
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A2C78
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AC078
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AB07C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B6C70
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AD474
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A9408
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A7C08
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A1000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BA000
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C181C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A7410
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AB83C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B1030
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BEC30
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A80CC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AF8C4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B5CC4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A18DC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C1CD4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A14D4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B3CD4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B20E0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A90F8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A48FC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A3CF4
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C488C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B5880
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A4C84
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BCC84
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B709C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C1494
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024AAC94
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C44A8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A98AC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C94BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024ADCB8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BA8B0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C4D64
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B610C
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C8500
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C2100
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B7518
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C9910
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BAD28
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B4D20
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B1924
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A6138
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BB130
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024B15C8
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BD5F0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BBDA0
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A95BC
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
                    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                    Source: Insight_Medical_Publishing.oneReversingLabs: Detection: 30%
                    Source: Insight_Medical_Publishing.oneVirustotal: Detection: 40%
                    Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
                    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
                    Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\Documents\{F00B6BB3-41EE-4892-B100-C863D7550BEA}Jump to behavior
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Local\Temp\{2EB17D8E-6B60-400B-AE6E-E660500E7C76} - OProcSessId.datJump to behavior
                    Source: classification engineClassification label: mal100.troj.expl.evad.winONE@9/11@1/49
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                    Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
                    Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
                    Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A0FC push ebp; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007480D7 push ebp; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736CDE push esi; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736C9F pushad ; ret
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739D51 push ebp; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748157 push ebp; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D4E push ebp; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D3C push ebp; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D25 push 4D8BFFFFh; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A1D2 push ebp; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747987 push ebp; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A26E push ebp; ret
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747EAF push 458BCC5Ah; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739E8B push eax; retf
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C731 push esi; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024BC731 push esi; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A6CDE push esi; iretd
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024A6C9F pushad ; ret
                    Source: C:\Windows\System32\regsvr32.exeCode function: 4_2_024C6D34 push edi; ret
                    Source: rad0767A.tmp.dll.1.drStatic PE information: section name: _RDATA
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
                    Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dllJump to dropped file
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)Jump to dropped file
                    Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)Jump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll:Zone.Identifier read attributes | delete
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\wscript.exe TID: 6104Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\SysWOW64\wscript.exe TID: 6108Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\regsvr32.exe TID: 4916Thread sleep time: -270000s >= -30000s
                    Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.0 %
                    Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
                    Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
                    Source: wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405806973.0000000005A15000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406246546.0000000005A1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632896008.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.487960749.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488247540.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.488515239.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh9
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
                    Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443
                    Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
                    Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
                    Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
                    Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid
                    Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Malicious OneNote
                    Source: Yara matchFile source: Insight_Medical_Publishing.one, type: SAMPLE
                    Yara detected Emotet
                    Source: Yara matchFile source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 4.2.regsvr32.exe.2470000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.regsvr32.exe.2470000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.700000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.regsvr32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected Malicious OneNote
                    Source: Yara matchFile source: Insight_Medical_Publishing.one, type: SAMPLE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts1
                    Scripting                    		1
                    DLL Side-Loading                    		111
                    Process Injection                    		21
                    Masquerading                    		OS Credential Dumping1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium11
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Exploitation for Client Execution                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Virtualization/Sandbox Evasion                    		LSASS Memory121
                    Security Software Discovery                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
                    Process Injection                    		Security Account Manager1
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Ingress Tool Transfer                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Scripting                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Hidden Files and Directories                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingData Transfer Size Limits114
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Obfuscated Files or Information                    		Cached Domain Credentials2
                    File and Directory Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Regsvr32                    		DCSync25
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828491 Sample: Insight_Medical_Publishing.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 37 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 6 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49685 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\rad0767A.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\System32\...\zBLf.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49686, 8080 OVHFR France 23->41 43 7 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Insight_Medical_Publishing.one31%ReversingLabsScript-WScript.Trojan.OneNote
                    Insight_Medical_Publishing.one41%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll58%ReversingLabsWin64.Trojan.Emotet
                    C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)58%ReversingLabsWin64.Trojan.Emotet

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.2.regsvr32.exe.2470000.0.unpack100%AviraHEUR/AGEN.1215476Download File
                    3.2.regsvr32.exe.700000.0.unpack100%AviraHEUR/AGEN.1215476Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://penshorn.org/0%Avira URL Cloudsafe
                    https://bbvoyage.com/useragreem0%Avira URL Cloudsafe
                    https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/D100%Avira URL Cloudmalware
                    https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
                    http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
                    http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
                    https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
                    https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
                    http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0100%Avira URL Cloudmalware
                    https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
                    http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
                    https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
                    https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware
                    https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/0%Avira URL Cloudsafe
                    http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
                    https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware
                    https://91.121.146.47:8080/100%Avira URL Cloudmalware
                    https://163.44.196.120:8080/100%Avira URL Cloudmalware
                    http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/D100%Avira URL Cloudmalware
                    https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
                    https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware
                    https://penshorn.org/admin/Ses8712iGR8du/:100%Avira URL Cloudmalware
                    https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllG100%Avira URL Cloudmalware
                    https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6100%Avira URL Cloudmalware
                    https://163.44.196.120:8080/a100%Avira URL Cloudmalware
                    https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
                    https://www.gomespontes.com.br/logs/pd/RPROFIN100%Avira URL Cloudmalware
                    https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~0%Avira URL Cloudsafe
                    http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
                    https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware
                    https://167.172.199.165:8080/100%Avira URL Cloudmalware
                    https://www.gomespontes.com.br/logs/pd/RPROFII100%Avira URL Cloudmalware
                    https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware
                    https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll100%Avira URL Cloudmalware
                    http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
                    https://penshorn.org/l0%Avira URL Cloudsafe
                    https://penshorn.org/admin/Ses8712iGR8du/o8100%Avira URL Cloudmalware
                    https://167.172.199.165:8080/&C100%Avira URL Cloudmalware
                    https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
                    https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:100%Avira URL Cloudmalware
                    https://160.16.142.56:8080/0%Avira URL Cloudsafe
                    https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(100%Avira URL Cloudmalware
                    https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Low0%Avira URL Cloudsafe
                    https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    penshorn.org
                    		203.26.41.131
                    		truetrue
                      		unknown
                      c-0001.c-msedge.net
                      		13.107.4.50
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://penshorn.org/admin/Ses8712iGR8du/true
                        • Avira URL Cloud: malware
                        		unknown
                        https://182.162.143.56/jesecsgigcdk/zfgrij/wjhswvhm/true
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://penshorn.org/wscript.exe, 00000001.00000003.406246546.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410615490.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407565832.0000000005A30000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.gomespontes.com.br/logs/pd/wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0wscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreemwscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/Dregsvr32.exe, 00000004.00000003.487960749.0000000000C32000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405065761.000000000599E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://163.44.196.120:8080/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Dwscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://91.121.146.47:8080/regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://163.44.196.120:8080/regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633400839.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631327134.0000000002CEE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://penshorn.org/admin/Ses8712iGR8du/:wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://164.90.222.65:443/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000003.631367209.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.633048018.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631876075.0000000000CA3000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllGwscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://163.44.196.120:8080/aregsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.gomespontes.com.br/logs/pd/RPROFINwscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://ozmeydan.com/cekici/9/xMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://167.172.199.165:8080/regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/~regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://167.172.199.165:8080/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://www.gomespontes.com.br/logs/pd/RPROFIIwscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://91.121.146.47:8080/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, wscript.exe, 00000001.00000003.401446574.0000000005854000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407388348.000000000599C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405516131.00000000059E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398089051.0000000005618000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396833968.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397954690.0000000005570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410110561.000000000554B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410578428.0000000005A20000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399855918.0000000005710000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398372214.0000000005612000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401334096.00000000057A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396123966.00000000054E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400492446.000000000571C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404550473.0000000005941000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402856743.0000000005824000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401938541.000000000587B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402160739.0000000005881000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396886242.0000000005520000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000001.00000003.406411067.0000000005164000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllwscript.exe, 00000001.00000003.404879615.000000000595C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404821142.0000000005952000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404992491.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404790346.0000000005948000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/LE=C:wscript.exe, 00000001.00000003.404701229.0000000005980000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404904476.000000000598C000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://167.172.199.165:8080/&Cregsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://penshorn.org/admin/Ses8712iGR8du/o8wscript.exe, 00000001.00000003.404069943.00000000058F8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404449141.0000000005925000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402904454.00000000058C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402574325.00000000058B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410244672.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404512277.000000000592E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.403395898.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407529090.0000000005935000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404263538.000000000591E000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://penshorn.org/lwscript.exe, 00000001.00000003.406123541.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410685138.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407893232.0000000005A4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395243756.0000000005A4B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://160.16.142.56:8080/regsvr32.exe, 00000004.00000003.631557827.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632847163.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://penshorn.org:443/admin/Ses8712iGR8du/script.createobject(wscript.exe, 00000001.00000003.402475133.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400788663.000000000579C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407340344.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400134477.000000000578F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.410176133.00000000057BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400415831.0000000005797000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.400837362.00000000057AC000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://160.16.142.56:8080/jesecsgigcdk/zfgrij/wjhswvhm/Lowregsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://164.90.222.65/jesecsgigcdk/zfgrij/wjhswvhm/regsvr32.exe, 00000004.00000003.631909957.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631718503.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.632920249.0000000000C4D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631988721.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.631367209.0000000000C41000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        110.232.117.186
                        		unknownAustralia
                        		56038RACKCORP-APRackCorpAUtrue
                        103.132.242.26
                        		unknownIndia
                        		45117INPL-IN-APIshansNetworkINtrue
                        104.168.155.143
                        		unknownUnited States
                        		54290HOSTWINDSUStrue
                        79.137.35.198
                        		unknownFrance
                        		16276OVHFRtrue
                        115.68.227.76
                        		unknownKorea Republic of
                        		38700SMILESERV-AS-KRSMILESERVKRtrue
                        163.44.196.120
                        		unknownSingapore
                        		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
                        206.189.28.199
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        203.26.41.131
                        		penshorn.orgAustralia
                        		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                        107.170.39.149
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        66.228.32.31
                        		unknownUnited States
                        		63949LINODE-APLinodeLLCUStrue
                        197.242.150.244
                        		unknownSouth Africa
                        		37611AfrihostZAtrue
                        185.4.135.165
                        		unknownGreece
                        		199246TOPHOSTGRtrue
                        183.111.227.137
                        		unknownKorea Republic of
                        		4766KIXS-AS-KRKoreaTelecomKRtrue
                        45.176.232.124
                        		unknownColombia
                        		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                        169.57.156.166
                        		unknownUnited States
                        		36351SOFTLAYERUStrue
                        164.68.99.3
                        		unknownGermany
                        		51167CONTABODEtrue
                        139.59.126.41
                        		unknownSingapore
                        		14061DIGITALOCEAN-ASNUStrue
                        167.172.253.162
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        167.172.199.165
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        202.129.205.3
                        		unknownThailand
                        		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
                        147.139.166.154
                        		unknownUnited States
                        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                        153.92.5.27
                        		unknownGermany
                        		47583AS-HOSTINGERLTtrue
                        159.65.88.10
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        172.105.226.75
                        		unknownUnited States
                        		63949LINODE-APLinodeLLCUStrue
                        164.90.222.65
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        213.239.212.5
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        5.135.159.50
                        		unknownFrance
                        		16276OVHFRtrue
                        186.194.240.217
                        		unknownBrazil
                        		262733NetceteraTelecomunicacoesLtdaBRtrue
                        119.59.103.152
                        		unknownThailand
                        		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
                        159.89.202.34
                        		unknownUnited States
                        		14061DIGITALOCEAN-ASNUStrue
                        91.121.146.47
                        		unknownFrance
                        		16276OVHFRtrue
                        160.16.142.56
                        		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                        201.94.166.162
                        		unknownBrazil
                        		28573CLAROSABRtrue
                        91.207.28.33
                        		unknownKyrgyzstan
                        		39819PROHOSTKGtrue
                        103.75.201.2
                        		unknownThailand
                        		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                        103.43.75.120
                        		unknownJapan20473AS-CHOOPAUStrue
                        188.44.20.25
                        		unknownMacedonia
                        		57374GIV-ASMKtrue
                        45.235.8.30
                        		unknownBrazil
                        		267405WIKINETTELECOMUNICACOESBRtrue
                        153.126.146.25
                        		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
                        72.15.201.15
                        		unknownUnited States
                        		13649ASN-VINSUStrue
                        187.63.160.88
                        		unknownBrazil
                        		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
                        82.223.21.224
                        		unknownSpain
                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                        173.212.193.249
                        		unknownGermany
                        		51167CONTABODEtrue
                        95.217.221.146
                        		unknownGermany
                        		24940HETZNER-ASDEtrue
                        149.56.131.28
                        		unknownCanada
                        		16276OVHFRtrue
                        182.162.143.56
                        		unknownKorea Republic of
                        		3786LGDACOMLGDACOMCorporationKRtrue
                        1.234.2.232
                        		unknownKorea Republic of
                        		9318SKB-ASSKBroadbandCoLtdKRtrue
                        129.232.188.93
                        		unknownSouth Africa
                        		37153xneeloZAtrue
                        94.23.45.86
                        		unknownFrance
                        		16276OVHFRtrue

                        General Information

                        Joe Sandbox Version:37.0.0 Beryl
                        Analysis ID:828491
                        Start date and time:2023-03-17 09:08:34 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 8m 41s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample file name:Insight_Medical_Publishing.one
                        Detection:MAL
                        Classification:mal100.troj.expl.evad.winONE@9/11@1/49
                        EGA Information:
                        • Successful, ratio: 100%
                        HDC Information:
                        • Successful, ratio: 50.2% (good quality ratio 42.4%)
                        • Quality average: 60.5%
                        • Quality standard deviation: 35.6%
                        HCA Information:
                        • Successful, ratio: 89%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .one

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded IPs from analysis (whitelisted): 13.107.4.50
                        • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:10:16API Interceptor2x Sleep call for process: wscript.exe modified
                        09:10:54API Interceptor9x Sleep call for process: regsvr32.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\System32\regsvr32.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):62582
                        Entropy (8bit):7.996063107774368
                        Encrypted:true
                        SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
                        MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
                        SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
                        SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
                        SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
                        Malicious:false
                        Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Windows\System32\regsvr32.exe
                        File Type:data
                        Category:modified
                        Size (bytes):328
                        Entropy (8bit):3.1274376123142225
                        Encrypted:false
                        SSDEEP:6:kKH4ry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:fwCvkPlE99SNxAhUext
                        MD5:86D7AB5209F501EDFCFD1ED207DF126C
                        SHA1:2181F1CC59070F56FFA68F1D923ABA7F05232413
                        SHA-256:ABCD9709266E0713C5D2025ACEF9A7CA53A40E3F471829B117C50FAEC4B29ABB
                        SHA-512:F55DED735B5E640899CBEFA0013E90E10F9D68E27EFDD6BA2FF505656A5520BAE0AA40EAC9769E1CFFC5E7C1BE523CD35155E82E81007F70E01BF53AFE67DDE5
                        Malicious:false
                        Preview:p...... ........*....X..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

                        C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        File Type:Matlab v4 mat-file (little endian) p\004, numeric, rows 262223750, columns 0
                        Category:dropped
                        Size (bytes):72
                        Entropy (8bit):2.106463217645438
                        Encrypted:false
                        SSDEEP:3:ulX1EA8TXlRRRllRlAaRtl:Kx8T5zX
                        MD5:F8DDA9F4FA66E49DF74640ED8AE2DD99
                        SHA1:6CB54F6F5EDD5F075CA83CA91618A094DFD590EE
                        SHA-256:B6A7101472003B8B01F4F68D685C5C8EAFA38FEF9D2F613C88487551EA80B998
                        SHA-512:D4B4F7ABBB589E0FFD694C61785EEF90007605586656E946E5B13490977B9391624C3F3F77D6F6EFEF5E73238C69CFF947DD91FE4744AFF2AE3D06C02BBD77DA
                        Malicious:false
                        Preview:.....7..........$...p...............................4...................

                        C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.7025254221055496
                        Encrypted:false
                        SSDEEP:24:9Sey7sX9lL+5lwmPs+C9+r8b3+gd//7i64/QNgi2f1qvBIUxVrkviaoAWWcvrO8Y:Mey89sxE+m6taFRNgbEveUvSH9gK8lW
                        MD5:E9B1EF3305AE282682EE76A7A2F2C852
                        SHA1:E26EEA64296D7D3DEB29EABB86188114B18279E3
                        SHA-256:F92F6088D7F7FFE2AEC559A475069790983385B898FB02BFA50BA89A9C585F96
                        SHA-512:1C58413EA61FD7411C66AA822C7B98F43D23DE2F0AEB1CC71E3C99FFFA3DB3A22917EC59041DDC00106A9E351462E035190B28E62BBA89FA2CF31EA14AC210E5
                        Malicious:false
                        Preview:.@..`....................................................................................................@.......B......kQV.X..Zb..........................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................m..h..... ......O..X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.............................................................................7.B.........17134.1.x86fre.rs4_release.180410-1804......$.@.........U......@..%|n.z.....P:\Target\x86\ship\onenote\x-none\onmain.pdb.ain.pdb.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.............................................

                        C:\Users\user\AppData\Local\Temp\click.wsf

                        Download File
                        Process:C:\Windows\SysWOW64\wscript.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):9
                        Entropy (8bit):2.94770277922009
                        Encrypted:false
                        SSDEEP:3:tWn:tWn
                        MD5:07F5A0CFFD9B2616EA44FB90CCC04480
                        SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
                        SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
                        SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
                        Malicious:true
                        Preview:badum tss

                        C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll

                        Download File
                        Process:C:\Windows\SysWOW64\wscript.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):316928
                        Entropy (8bit):7.337848702590508
                        Encrypted:false
                        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                        MD5:BFC060937DC90B273ECCB6825145F298
                        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 58%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):25280
                        Entropy (8bit):0.5448857236903505
                        Encrypted:false
                        SSDEEP:48:InnYXroOkOOrUd+9olgk8Z4GQTaza2oLC:ICroAOg+6lAUaza2n
                        MD5:6086328D237D6F15FF2C220161EDF1C6
                        SHA1:D69F2D0534338DA593194D26865CA5138AD00072
                        SHA-256:B685F13DDA1C89BB54C173FD26D49B6B92C9E47B653CC343ED8DBF6F1EB021E6
                        SHA-512:20475A656849ECFD7EAE8E99607A024395A98D4537F4AFBC216427AE642320B064E074551B3AD97280DA977F90E715385FC763F446957A8FBB62942262985817
                        Malicious:false
                        Preview:.%c....L..=../\xO./. .D.V.....................?.....I.......*...*...*...*...........................................................................................h............................b...............uZ..MUM...Q..h1........mO%b..xE.,._................................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):3873
                        Entropy (8bit):3.4737683251160396
                        Encrypted:false
                        SSDEEP:48:K8w0udO5NXWDglIFLbqzqgdCDDGTCDqnCpd5w0udO5NXWDglh7+5DGqzWk7dCDGn:RgD7UqfGZCpdgDfLZhPfs4
                        MD5:E2CA57FD013574EE30FE50E44FF9733B
                        SHA1:E051026CF722B0749E02DDD1B67FB66891F8B903
                        SHA-256:FC94D2AE845B974DF3ED35A25D11886E1D176A6D545E90F01CFEFD31666596BD
                        SHA-512:F3DC1177A2E17D569EC0D55D657F26C63E296F30F3F790F28DD1DCF45DD35141E8E96D938334F6C1A065887B2A9F00A673EA9EA673F80CAC927C90AF1867FC40
                        Malicious:false
                        Preview:...................................FL..................F.@.. .....Q{......X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV-A....................V......z..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV-A.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV-A.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV2A....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IOV5D23NX65BBX4TEENK.temp

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):3873
                        Entropy (8bit):3.4737683251160396
                        Encrypted:false
                        SSDEEP:48:K8w0udO5NXWDglIFLbqzqgdCDDGTCDqnCpd5w0udO5NXWDglh7+5DGqzWk7dCDGn:RgD7UqfGZCpdgDfLZhPfs4
                        MD5:E2CA57FD013574EE30FE50E44FF9733B
                        SHA1:E051026CF722B0749E02DDD1B67FB66891F8B903
                        SHA-256:FC94D2AE845B974DF3ED35A25D11886E1D176A6D545E90F01CFEFD31666596BD
                        SHA-512:F3DC1177A2E17D569EC0D55D657F26C63E296F30F3F790F28DD1DCF45DD35141E8E96D938334F6C1A065887B2A9F00A673EA9EA673F80CAC927C90AF1867FC40
                        Malicious:false
                        Preview:...................................FL..................F.@.. .....Q{......X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U5m..PROGRA~2.........L.qV-A....................V......z..P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......PlP..MICROS~1..R.......PMPqV-A.....z....................C...M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P8R..Office16..B.......PMPqV-A.....z........................O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV2A....3.........................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

                        C:\Windows\System32\CRCPqQPgWxqcgJu\zBLf.dll (copy)

                        Download File
                        Process:C:\Windows\System32\regsvr32.exe
                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                        Category:dropped
                        Size (bytes):316928
                        Entropy (8bit):7.337848702590508
                        Encrypted:false
                        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
                        MD5:BFC060937DC90B273ECCB6825145F298
                        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
                        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
                        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 58%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                        Static File Info

                        General

                        File type:data
                        Entropy (8bit):6.730630226103355
                        TrID:
                        • Microsoft OneNote note (16024/2) 100.00%
                        File name:Insight_Medical_Publishing.one
                        File size:120428
                        MD5:ff762b2f28c3bcaaabcc6f7656f92d50
                        SHA1:9448c2d43c1e7155a4003d513c95f42fd29a2b7f
                        SHA256:62ff7b52aeac2e32e59d8168cd55db1522de07833d476c8e26b36f40724bbebe
                        SHA512:38f57c9b9df91396c4dc46284789cfc7af05db79f25adbd9a5387911a44eb65326685182860a420adb3b17657c6a82931d519fdeb0e653c663959fae557aa1ad
                        SSDEEP:1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnX7:1BoC+tCYvSMVnte8ZP1Y6JL
                        TLSH:96C33BF1A8025C0AE123C976B1FB661399D052ED42283B2BF87D507DD978A20D5DD8EF
                        File Content Preview:.R\{...M..Sx.).......i.E......&.................?......I........*...*...*...*..................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

                        File Icon

                        Icon Hash:d4dce0626664606c

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        192.168.2.4104.168.155.1434969680802404302 03/17/23-09:11:36.169787TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2496968080192.168.2.4104.168.155.143
                        192.168.2.491.121.146.474968680802404344 03/17/23-09:10:50.935597TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496868080192.168.2.491.121.146.47
                        192.168.2.4182.162.143.56496894432404312 03/17/23-09:11:04.665638TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749689443192.168.2.4182.162.143.56
                        192.168.2.466.228.32.314968870802404330 03/17/23-09:10:59.416914TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496887080192.168.2.466.228.32.31
                        192.168.2.4167.172.199.1654969180802404308 03/17/23-09:11:21.428977TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 5496918080192.168.2.4167.172.199.165

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 17, 2023 09:10:03.572330952 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:03.572402954 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:03.572552919 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:03.577940941 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:03.577989101 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:04.202596903 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:04.203465939 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:04.214889050 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:04.214925051 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:04.215370893 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:04.263299942 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:04.473165035 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:04.473231077 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:05.955673933 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:05.955748081 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:05.955765963 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:05.955936909 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:05.955986023 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:05.997817993 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.247741938 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.247778893 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.247978926 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.248001099 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248080969 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.248141050 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248162031 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248186111 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248197079 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.248205900 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248249054 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.248265982 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.248286009 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.294729948 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.294780970 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.341589928 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.547575951 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.547640085 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.547830105 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.547863007 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586201906 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586244106 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586272001 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586350918 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586389065 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586411953 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586421967 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586436987 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586452007 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586469889 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586482048 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586503029 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586568117 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586581945 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586610079 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586615086 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586637020 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586647987 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586785078 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586801052 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586850882 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586865902 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586890936 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586913109 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.586914062 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.586937904 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.638515949 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.638586998 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.685430050 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.839344978 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.839379072 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.839442015 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.839456081 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.839575052 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.839623928 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.839658976 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.839709044 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.878305912 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878325939 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878484011 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.878521919 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878638983 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878714085 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.878737926 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878808022 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.878880978 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.878896952 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.879014015 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.879110098 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.879127979 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.904869080 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.904993057 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.905112982 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.905168056 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.905208111 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.905425072 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.905541897 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.905569077 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.905612946 CET44349685203.26.41.131192.168.2.4
                        Mar 17, 2023 09:10:06.905687094 CET49685443192.168.2.4203.26.41.131
                        Mar 17, 2023 09:10:06.905704021 CET44349685203.26.41.131192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Mar 17, 2023 09:10:03.257808924 CET6257753192.168.2.48.8.8.8
                        Mar 17, 2023 09:10:03.556416035 CET53625778.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Mar 17, 2023 09:10:03.257808924 CET192.168.2.48.8.8.80x6ed1Standard query (0)penshorn.orgA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Mar 17, 2023 09:10:03.556416035 CET8.8.8.8192.168.2.40x6ed1No error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false
                        Mar 17, 2023 09:10:51.562388897 CET8.8.8.8192.168.2.40x3961No error (0)au.c-0001.c-msedge.netc-0001.c-msedge.netCNAME (Canonical name)IN (0x0001)false
                        Mar 17, 2023 09:10:51.562388897 CET8.8.8.8192.168.2.40x3961No error (0)c-0001.c-msedge.net13.107.4.50A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • penshorn.org
                        • 182.162.143.56

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:09:35
                        Start date:17/03/2023
                        Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
                        Wow64 process (32bit):true
                        Commandline:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing.one
                        Imagebase:0x380000
                        File size:1676072 bytes
                        MD5 hash:8D7E99CB358318E1F38803C9E6B67867
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate

                        General

                        Target ID:1
                        Start time:09:10:00
                        Start date:17/03/2023
                        Path:C:\Windows\SysWOW64\wscript.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
                        Imagebase:0x1030000
                        File size:147456 bytes
                        MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.410280537.0000000005950000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
                        Reputation:high

                        General

                        Target ID:2
                        Start time:09:10:06
                        Start date:17/03/2023
                        Path:C:\Windows\SysWOW64\regsvr32.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll
                        Imagebase:0x2c0000
                        File size:20992 bytes
                        MD5 hash:426E7499F6A7346F0410DEAD0805586B
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Target ID:3
                        Start time:09:10:07
                        Start date:17/03/2023
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline: "C:\Users\user\AppData\Local\Temp\rad0767A.tmp.dll"
                        Imagebase:0x7ff7131b0000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.394265744.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.394237603.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        General

                        Target ID:4
                        Start time:09:10:10
                        Start date:17/03/2023
                        Path:C:\Windows\System32\regsvr32.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CRCPqQPgWxqcgJu\zBLf.dll"
                        Imagebase:0x7ff7131b0000
                        File size:24064 bytes
                        MD5 hash:D78B75FC68247E8A63ACBA846182740E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.633268738.00000000024A1000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000004.00000002.632774627.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.633113023.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high

                        Disassembly

                        No disassembly