Edit tour

Windows Analysis Report
Insight_Medical_Publishing_4.one

Overview

General Information

Sample Name:	Insight_Medical_Publishing_4.one
Analysis ID:	828494
MD5:	0c521381f0d5fe36e9dbf63e9012067d
SHA1:	29d169b2eca785dc579651b7e1ed2cb9ad854f37
SHA256:	332107452ecfb3cab8af719978c4c2acc8325219b57eceb77fc2ea77529ff92d
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

ONENOTE.EXE (PID: 4884 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one MD5: 8D7E99CB358318E1F38803C9E6B67867)

wscript.exe (PID: 6124 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)

regsvr32.exe (PID: 1048 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 604 cmdline: "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5084 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

ONENOTEM.EXE (PID: 912 cmdline: /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)

ONENOTEM.EXE (PID: 3920 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr MD5: DBCFA6F25577339B877D2305CAD3DEC3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5KJfivQAlAJQ=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2QJe6vQAtAJA="]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Insight_Medical_Publishing_4.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\Insight_Medical_Publishing_4.one	JoeSecurity_MalOneNote	Yara detected Malicious OneNote	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x238a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x542:$jsp4: public 0xf7a:$jsp4: public 0x15ba:$jsp4: public 0x2c2a:$jsp4: public 0xc34:$asp_payload11: wscript.shell 0x28e4:$asp_payload11: wscript.shell 0x306:$asp_multi_payload_one1: createobject 0x63e:$asp_multi_payload_one1: createobject 0x81c:$asp_multi_payload_one1: createobject 0x90a:$asp_multi_payload_one1: createobject 0x982:$asp_multi_payload_one1: createobject 0x9dc:$asp_multi_payload_one1: createobject 0xc18:$asp_multi_payload_one1: createobject 0x137e:$asp_multi_payload_one1: createobject 0x16b6:$asp_multi_payload_one1: createobject 0x24cc:$asp_multi_payload_one1: createobject 0x25ba:$asp_multi_payload_one1: createobject 0x2632:$asp_multi_payload_one1: createobject 0x268c:$asp_multi_payload_one1: createobject 0x28c8:$asp_multi_payload_one1: createobject
0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0xae6:$asp_gen_obf1: "+" 0xb16:$asp_gen_obf1: "+" 0x2796:$asp_gen_obf1: "+" 0x27c6:$asp_gen_obf1: "+" 0x238a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x542:$jsp4: public 0xf7a:$jsp4: public 0x15ba:$jsp4: public 0x2c2a:$jsp4: public 0xb0:$asp_input1: request 0xf2:$asp_input1: request 0x208:$asp_input1: request 0x8fa:$asp_input1: request 0x1128:$asp_input1: request 0x116a:$asp_input1: request 0x1280:$asp_input1: request 0x25aa:$asp_input1: request 0x2dd8:$asp_input1: request 0x2e1a:$asp_input1: request 0x2f30:$asp_input1: request 0xc34:$asp_payload11: wscript.shell
0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Emotet_3	Yara detected Emotet	Joe Security
0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public 0x8c12:$jsp4: public 0x9252:$jsp4: public 0x9c7a:$jsp4: public 0xa2ba:$jsp4: public 0x2bbc:$asp_payload11: wscript.shell 0x3c34:$asp_payload11: wscript.shell 0x58e4:$asp_payload11: wscript.shell 0x681c:$asp_payload11: wscript.shell 0x88cc:$asp_payload11: wscript.shell 0x9934:$asp_payload11: wscript.shell 0x27a4:$asp_multi_payload_one1: createobject 0x2892:$asp_multi_payload_one1: createobject
0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x2a6e:$asp_gen_obf1: "+" 0x2a9e:$asp_gen_obf1: "+" 0x3ae6:$asp_gen_obf1: "+" 0x3b16:$asp_gen_obf1: "+" 0x5796:$asp_gen_obf1: "+" 0x57c6:$asp_gen_obf1: "+" 0x66ce:$asp_gen_obf1: "+" 0x66fe:$asp_gen_obf1: "+" 0x877e:$asp_gen_obf1: "+" 0x87ae:$asp_gen_obf1: "+" 0x97e6:$asp_gen_obf1: "+" 0x9816:$asp_gen_obf1: "+" 0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public
0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0xc38a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x9f02:$jsp4: public 0xa542:$jsp4: public 0xaf7a:$jsp4: public 0xb5ba:$jsp4: public 0xcc2a:$jsp4: public 0xd26a:$jsp4: public 0xdb62:$jsp4: public 0xe1a2:$jsp4: public 0xfc12:$jsp4: public 0x10252:$jsp4: public 0x10c7a:$jsp4: public 0x112ba:$jsp4: public 0x9bbc:$asp_payload11: wscript.shell 0xac34:$asp_payload11: wscript.shell 0xc8e4:$asp_payload11: wscript.shell 0xd81c:$asp_payload11: wscript.shell 0xf8cc:$asp_payload11: wscript.shell 0x10934:$asp_payload11: wscript.shell 0x97a4:$asp_multi_payload_one1: createobject 0x9892:$asp_multi_payload_one1: createobject
0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x9a6e:$asp_gen_obf1: "+" 0x9a9e:$asp_gen_obf1: "+" 0xaae6:$asp_gen_obf1: "+" 0xab16:$asp_gen_obf1: "+" 0xc796:$asp_gen_obf1: "+" 0xc7c6:$asp_gen_obf1: "+" 0xd6ce:$asp_gen_obf1: "+" 0xd6fe:$asp_gen_obf1: "+" 0xf77e:$asp_gen_obf1: "+" 0xf7ae:$asp_gen_obf1: "+" 0x107e6:$asp_gen_obf1: "+" 0x10816:$asp_gen_obf1: "+" 0xc38a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x9f02:$jsp4: public 0xa542:$jsp4: public 0xaf7a:$jsp4: public 0xb5ba:$jsp4: public 0xcc2a:$jsp4: public 0xd26a:$jsp4: public 0xdb62:$jsp4: public 0xe1a2:$jsp4: public
0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x1796:$asp_gen_obf1: "+" 0x17c6:$asp_gen_obf1: "+" 0x138a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x5ba:$jsp4: public 0x1c2a:$jsp4: public 0x128:$asp_input1: request 0x16a:$asp_input1: request 0x280:$asp_input1: request 0x15aa:$asp_input1: request 0x1dd8:$asp_input1: request 0x1e1a:$asp_input1: request 0x1f30:$asp_input1: request 0x18e4:$asp_payload11: wscript.shell 0x37e:$asp_multi_payload_one1: createobject 0x6b6:$asp_multi_payload_one1: createobject 0x14cc:$asp_multi_payload_one1: createobject 0x15ba:$asp_multi_payload_one1: createobject 0x1632:$asp_multi_payload_one1: createobject 0x168c:$asp_multi_payload_one1: createobject 0x18c8:$asp_multi_payload_one1: createobject 0x65c:$asp_multi_payload_one3: .run
0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	webshell_asp_obfuscated	ASP webshell obfuscated	Arnim Rupp	0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public 0x8c12:$jsp4: public 0x9252:$jsp4: public 0x9c7a:$jsp4: public 0xa2ba:$jsp4: public 0x2bbc:$asp_payload11: wscript.shell 0x3c34:$asp_payload11: wscript.shell 0x58e4:$asp_payload11: wscript.shell 0x681c:$asp_payload11: wscript.shell 0x88cc:$asp_payload11: wscript.shell 0x9934:$asp_payload11: wscript.shell 0x27a4:$asp_multi_payload_one1: createobject 0x2892:$asp_multi_payload_one1: createobject
0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x2a6e:$asp_gen_obf1: "+" 0x2a9e:$asp_gen_obf1: "+" 0x3ae6:$asp_gen_obf1: "+" 0x3b16:$asp_gen_obf1: "+" 0x5796:$asp_gen_obf1: "+" 0x57c6:$asp_gen_obf1: "+" 0x66ce:$asp_gen_obf1: "+" 0x66fe:$asp_gen_obf1: "+" 0x877e:$asp_gen_obf1: "+" 0x87ae:$asp_gen_obf1: "+" 0x97e6:$asp_gen_obf1: "+" 0x9816:$asp_gen_obf1: "+" 0x538a:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x2f02:$jsp4: public 0x3542:$jsp4: public 0x3f7a:$jsp4: public 0x45ba:$jsp4: public 0x5c2a:$jsp4: public 0x626a:$jsp4: public 0x6b62:$jsp4: public 0x71a2:$jsp4: public
0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	WEBSHELL_asp_generic	Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file	Arnim Rupp	0x11dc6:$asp_gen_obf1: "+" 0x11df6:$asp_gen_obf1: "+" 0x12e0e:$asp_gen_obf1: "+" 0x12e3e:$asp_gen_obf1: "+" 0x98b2:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8 0x3d2:$jsp4: public 0xa12:$jsp4: public 0x1225a:$jsp4: public 0x1289a:$jsp4: public 0x132a2:$jsp4: public 0x138e2:$jsp4: public 0x580:$asp_input1: request 0x5c2:$asp_input1: request 0x6d8:$asp_input1: request 0x11bda:$asp_input1: request 0x12408:$asp_input1: request 0x1244a:$asp_input1: request 0x12560:$asp_input1: request 0x12c22:$asp_input1: request 0x13450:$asp_input1: request 0x13492:$asp_input1: request
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
13.2.regsvr32.exe.1010000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
13.2.regsvr32.exe.1010000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.590000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
12.2.regsvr32.exe.590000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Signatures

Malware Analysis System Evasion

Sigma detected: Run temp file via regsvr32

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6124, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll, ProcessId: 1048, ProcessName: regsvr32.exe

Snort Signatures

ET CNC Feodo Tracker Reported CnC Server TCP group 2 - Source IP: 192.168.2.7 - Destination IP: 104.168.155.143

Timestamp:	192.168.2.7104.168.155.1434971580802404302 03/17/23-09:13:09.645395
SID:	2404302
Source Port:	49715
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 16 - Source IP: 192.168.2.7 - Destination IP: 66.228.32.31

Timestamp:	192.168.2.766.228.32.314970770802404330 03/17/23-09:12:39.846393
SID:	2404330
Source Port:	49707
Destination Port:	7080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 23 - Source IP: 192.168.2.7 - Destination IP: 91.121.146.47

Timestamp:	192.168.2.791.121.146.474970580802404344 03/17/23-09:12:33.263560
SID:	2404344
Source Port:	49705
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 5 - Source IP: 192.168.2.7 - Destination IP: 167.172.199.165

Timestamp:	192.168.2.7167.172.199.1654971080802404308 03/17/23-09:12:57.142531
SID:	2404308
Source Port:	49710
Destination Port:	8080
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CNC Feodo Tracker Reported CnC Server TCP group 7 - Source IP: 192.168.2.7 - Destination IP: 182.162.143.56

Timestamp:	192.168.2.7182.162.143.56497084432404312 03/17/23-09:12:45.141736
SID:	2404312
Source Port:	49708
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Insight_Medical_Publishing_4.one	ReversingLabs: Detection: 33%
Source: Insight_Medical_Publishing_4.one	Virustotal: Detection: 40%			Perma Link

Antivirus detection for URL or domain

Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/windic2	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/f	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/jn7	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/xJ	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/Y	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/ocal	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/cH	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/hJ	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/R	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/o	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)	ReversingLabs: Detection: 58%

Source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5KJfivQAlAJQ=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2QJe6vQAtAJA="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49708 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49708 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.7:49705 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.7:49707 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.7:49710 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.7:49715 -> 104.168.155.143:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic

HTTP traffic detected: POST /wviitvvypaw/exnwmeb/fqgitydelxiavmv/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: Joe Sandbox View

IP Address: 110.232.117.186 110.232.117.186

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: global traffic	TCP traffic: 192.168.2.7:49705 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.7:49707 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.7:49710 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.7:49716 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.7:49717 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.7:49722 -> 159.65.88.10:8080

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65

Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353306127.0000000005959000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.434013590.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.00000000010DA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.410330799.0000000001109000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0C
Source: wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349730028.000000000585B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000002.353883825.000000000307D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353398614.000000000307C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/jn7
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 0000000A.00000003.332245855.0000000003119000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003119000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com
Source: wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.350604005.000000000511B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i
Source: wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2
Source: wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350018876.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://100.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/hJ
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=
Source: regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/xJ
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/cH
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H
Source: regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000D.00000003.434013590.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/f
Source: regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/Y
Source: regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/
Source: regsvr32.exe, 0000000D.00000003.410626582.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 0000000A.00000003.351377227.0000000005931000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.000000000591F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354439210.0000000005932000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 0000000A.00000002.354455582.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351226281.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/V
Source: wscript.exe, 0000000A.00000003.353412277.000000000574F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350748133.0000000003004000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352989899.00000000030BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000002.354161417.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333487031.00000000054C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332982152.00000000054C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334262935.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/R
Source: wscript.exe, 0000000A.00000002.353943277.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329874156.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353230721.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.328965636.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/o
Source: wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334135815.0000000005548000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333720815.000000000552F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337774489.000000000555B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337632623.0000000005554000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/ocal
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: wscript.exe, 0000000A.00000002.353779744.0000000003060000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/windic2

Source: unknown

HTTP traffic detected: POST /wviitvvypaw/exnwmeb/fqgitydelxiavmv/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49708 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\BqnZyHskpeTuo\

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00580000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CCC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC058
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E5450
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7840
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C2C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CC078
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD474
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D6C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DB460
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9408
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C1000
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D1030
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DEC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C18DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C14D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C80CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D08CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C48FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C90F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CAC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DCC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5880
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E94BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CDCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C98AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7518
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E9910
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E8500
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6138
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C7530
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DB130
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DAD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D1924
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D15C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DD5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C95BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DBDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CB258
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA244
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3274
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D0A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA660
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4214
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E8A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CBA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D0E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D96D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DEAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C92F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CBE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E4E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C3ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DA6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CAAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C4758
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DE750
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CF77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8378
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DD770
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DCF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D4F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CEF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DE310
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CD33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C2FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C33D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D3FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D97CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005E27EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C1B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D5384
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CFFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C8FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CDBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01000000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047D6C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104CC14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010508CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01049B79
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010463A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010673A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048BC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058FC8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053FD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01060618
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010576A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068500
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062100
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105610C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01069910
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01057518
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01051924
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054D20
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105AD28
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105B130
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01046138
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01064D64
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105BDA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010495BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010515C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105D5F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01041000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A000
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01049408
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047C08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047410
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0106181C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01051030
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105EC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B83C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01047840
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C44C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065450
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C058
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105B460
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065868
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D474
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01056C70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B07C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01042C78
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104C078
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044C84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105CC84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055880
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0106488C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104AC94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01061494
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105709C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010498AC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010644A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A8B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010694BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104DCB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F8C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055CC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010480CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010414D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01061CD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010418DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010520E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043CF4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010448FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010490F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104EF14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01053B14
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105E310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068310
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01065B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054F18
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D33C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105E750
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104975C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044758
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068B68
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105D770
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105CF70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F77C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048378
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055384
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01041B94
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104DBA0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010647A8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048FB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104FFB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058BB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010597CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01042FD4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010433D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010627EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104A7F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105FFFC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01055A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01068A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043E0C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105020C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058E08
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044214
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104461C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104BA2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01058A2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01050E2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105662C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104263C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A244
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01066E48
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104F65C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104B258
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104A660
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043274
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01050A70
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062E84
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01048A8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01064E8C
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104BE90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01054A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01062AB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01043ABC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105A6BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104AAB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01044EB8
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105EAC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0104D6CC
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010596D4
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010492F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_010636FC

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253

Source: Insight_Medical_Publishing_4.one	ReversingLabs: Detection: 33%
Source: Insight_Medical_Publishing_4.one	Virustotal: Detection: 40%

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Source: Send to OneNote.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\Documents\{4F9D4FA7-F550-4E9A-B744-8AA5F9719A19}

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user~1\AppData\Local\Temp\{86590038-9E33-45B4-A336-008325B4A44C} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winONE@12/695@1/49

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_005C8BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE

Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180005C69 push rdi; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800056DD push rdi; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6CDE push esi; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D80D7 push ebp; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA0FC push ebp; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C6C9F pushad ; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D8157 push ebp; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9D51 push ebp; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D4E push ebp; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D3C push ebp; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7D25 push 4D8BFFFFh; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA1D2 push ebp; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7987 push ebp; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005CA26E push ebp; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005C9E8B push eax; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005D7EAF push 458BCC5Ah; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_005DC731 push esi; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_01066D34 push edi; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_0105C731 push esi; iretd

Source: rad16F69.tmp.dll.10.dr

Static PE information: section name: _RDATA

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll:Zone.Identifier read attributes | delete

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\wscript.exe TID: 2200	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\wscript.exe TID: 6004	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 4108	Thread sleep time: -270000s >= -30000s

Source: C:\Windows\System32\regsvr32.exe

API coverage: 9.3 %

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\regsvr32.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

Source: C:\Windows\System32\regsvr32.exe

File Volume queried: C:\ FullSizeInformation

Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353306127.0000000005959000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.
Source: wscript.exe, 0000000A.00000003.351129018.0000000005957000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354379182.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354489899.000000000595B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005955000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350121296.00000000058BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349605880.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349744376.00000000058B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000000D.00000003.410330799.00000000010BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.00000000010BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.433728463.00000000010BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_000000018000A878 GetProcessHeap,

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll

Source: C:\Windows\System32\regsvr32.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_00000001800070A0 cpuid

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected Malicious OneNote

Source: Yara match	File source: Insight_Medical_Publishing_4.one, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\Insight_Medical_Publishing_4.one, type: DROPPED

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.1010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327461788.0000000000590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.327486572.00000000005C1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Malicious OneNote

Source: Yara match	File source: Insight_Medical_Publishing_4.one, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\Insight_Medical_Publishing_4.one, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	2 Registry Run Keys / Startup Folder	111 Process Injection	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Ingress Tool Transfer	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Scripting	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Regsvr32	DCSync	25 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Insight_Medical_Publishing_4.one	33%	ReversingLabs	Win32.Trojan.OneNote
Insight_Medical_Publishing_4.one	41%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll	58%	ReversingLabs	Win64.Trojan.Emotet
C:\Windows\System32\BqnZyHskpeTuo\PjkJxfQvhUP.dll (copy)	58%	ReversingLabs	Win64.Trojan.Emotet

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
13.2.regsvr32.exe.1010000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File
12.2.regsvr32.exe.590000.0.unpack	100%	Avira	HEUR/AGEN.1215476		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://182.162.143.56/	0%	URL Reputation	safe
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/windic2	100%	Avira URL Cloud	malware
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	100%	Avira URL Cloud	malware
https://66.228.32.31:7080/f	100%	Avira URL Cloud	malware
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	100%	Avira URL Cloud	malware
https://penshorn.org/V	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8	100%	Avira URL Cloud	malware
https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-	0%	Avira URL Cloud	safe
http://ozmeydan.com/cekici/9/jn7	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/xJ	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/Y	100%	Avira URL Cloud	malware
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	100%	Avira URL Cloud	malware
http://wrappixels.com	0%	Avira URL Cloud	safe
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	100%	Avira URL Cloud	malware
https://66.228.32.31:7080/	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/vM	100%	Avira URL Cloud	malware
http://softwareulike.com/cWIYxWMPkK/	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	100%	Avira URL Cloud	malware
https://169.65.88.10:8080/	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8du/ocal	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/	100%	Avira URL Cloud	malware
https://penshorn.org/	0%	Avira URL Cloud	safe
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/tM	100%	Avira URL Cloud	malware
https://www.gomespontes.com.br/logs/pd/	100%	Avira URL Cloud	malware
https://159.89.202.34/cH	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/hJ	100%	Avira URL Cloud	malware
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	100%	Avira URL Cloud	malware
https://penshorn.org/admin/Ses8712iGR8du/R	100%	Avira URL Cloud	malware
https://100.16.142.56:8080/	0%	Avira URL Cloud	safe
http://softwareulike.com/cWIYxWMPkK/yM	100%	Avira URL Cloud	malware
https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	0%	Avira URL Cloud	safe
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici/9/xM	100%	Avira URL Cloud	malware
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	100%	Avira URL Cloud	malware
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	100%	Avira URL Cloud	malware
http://ozmeydan.com/cekici	0%	Avira URL Cloud	safe
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	100%	Avira URL Cloud	malware
https://160.16.142.56:8080/	0%	Avira URL Cloud	safe
https://penshorn.org/admin/Ses8712iGR8du/o	100%	Avira URL Cloud	malware
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	100%	Avira URL Cloud	malware
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
penshorn.org	203.26.41.131	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://penshorn.org/admin/Ses8712iGR8du/	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://softwareulike.com/cWIYxWMPkK/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/i	wscript.exe, 0000000A.00000003.349340106.000000000587E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://182.162.143.56/	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/s	wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350018876.00000000058A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/windic2	wscript.exe, 0000000A.00000002.353779744.0000000003060000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w11798	wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://66.228.32.31:7080/f	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.89.202.34/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8	wscript.exe, 0000000A.00000003.353412277.000000000574F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://penshorn.org/V	wscript.exe, 0000000A.00000002.354455582.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351226281.0000000005947000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.0000000005947000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://159.65.88.10:8080/xJ	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://66.228.32.31:7080/	regsvr32.exe, 0000000D.00000003.434013590.0000000001114000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/vM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-	wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv//	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/jn7	wscript.exe, 0000000A.00000002.353883825.000000000307D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353398614.000000000307C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://104.168.155.143:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/A4	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/Y	regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com	wscript.exe, 0000000A.00000003.332245855.0000000003119000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003119000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://169.65.88.10:8080/	regsvr32.exe, 0000000D.00000002.572469448.00000000010CC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/ocal	wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334135815.0000000005548000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338584714.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352714501.0000000005568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333720815.000000000552F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337774489.000000000555B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337632623.0000000005554000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	regsvr32.exe, 0000000D.00000002.572469448.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/	wscript.exe, 0000000A.00000003.351377227.0000000005931000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329298977.000000000591F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354439210.0000000005932000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.0000000005928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gomespontes.com.br/logs/pd/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/tM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.89.202.34/cH	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0	wscript.exe, 0000000A.00000003.350604005.000000000511B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/%4	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/hJ	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.0000000005685000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://91.121.146.47:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/=	regsvr32.exe, 0000000D.00000003.410626582.00000000010F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://100.16.142.56:8080/	regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://softwareulike.com/cWIYxWMPkK/yM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/R	wscript.exe, 0000000A.00000002.354161417.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333487031.00000000054C9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332982152.00000000054C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334262935.00000000054CC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/j2	wscript.exe, 0000000A.00000003.346976631.000000000584E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349194761.000000000586D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/H	regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici/9/xM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://163.44.196.120:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/	regsvr32.exe, 0000000D.00000002.572469448.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.573121126.000000000315C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ozmeydan.com/cekici	wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349730028.000000000585B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	wscript.exe, wscript.exe, 0000000A.00000003.344517254.000000000571B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329234815.00000000030F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330874377.0000000003109000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338612910.00000000055C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353199405.00000000058CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349921274.00000000058C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354171415.00000000054D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338364395.000000000557B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333126963.0000000005483000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338711188.0000000005646000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340959551.0000000005747000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329158898.000000000310E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333630424.00000000054AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337986785.0000000005567000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.354280215.0000000005862000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334232531.0000000005535000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340425681.000000000561C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350893818.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349970561.0000000005899000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.331782249.00000000053E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	wscript.exe, 0000000A.00000003.350604005.0000000005120000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://160.16.142.56:8080/	regsvr32.exe, 0000000D.00000002.572469448.0000000001114000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://penshorn.org/admin/Ses8712iGR8du/o	wscript.exe, 0000000A.00000002.353943277.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329874156.00000000030BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353230721.00000000030C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.328965636.00000000030AA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://159.65.88.10:8080/wviitvvypaw/exnwmeb/fqgitydelxiavmv/Xa4	regsvr32.exe, 0000000D.00000002.572469448.000000000115C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/temobj	wscript.exe, 0000000A.00000003.353391125.0000000003093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.353921759.0000000003094000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.26.41.131	penshorn.org	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828494
Start date and time:	2023-03-17 09:10:21 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 22s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	Insight_Medical_Publishing_4.one
Detection:	MAL
Classification:	mal100.troj.expl.evad.winONE@12/695@1/49
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.2% (good quality ratio 42.4%) Quality average: 60.5% Quality standard deviation: 35.6%
HCA Information:	Successful, ratio: 89% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .one

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
TCP Packets have been reduced to 100
Created / dropped Files have been reduced to 100
Excluded IPs from analysis (whitelisted): 52.109.88.191, 20.231.71.84, 20.25.84.51, 8.248.139.254, 8.253.207.121, 8.248.113.254, 8.238.85.126, 8.238.190.126
Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, ctldl.windowsupdate.com, officeclient.microsoft.com, wu-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:12:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
09:12:08	API Interceptor	2x Sleep call for process: wscript.exe modified
09:12:35	API Interceptor	11x Sleep call for process: regsvr32.exe modified

Process:	C:\Windows\System32\regsvr32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62582
Entropy (8bit):	7.996063107774368
Encrypted:	true
SSDEEP:	1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
MD5:	E71C8443AE0BC2E282C73FAEAD0A6DD3
SHA1:	0C110C1B01E68EDFACAEAE64781A37B1995FA94B
SHA-256:	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
SHA-512:	B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
Malicious:	false
Preview:	MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k....Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G\|.[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

Process:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154907
Entropy (8bit):	5.3520187063583995
Encrypted:	false
SSDEEP:	1536:V+C76gfYBIB9guw6LQ9DQl+zQxik4F77nXmvidlXRpE6Lhz67:ccQ9DQl+zrXgb
MD5:	1DB833D2AB3E61B3E206884BDCC4961B
SHA1:	DC7601BA212B9228CE8315D05250763237118F63
SHA-256:	EFFDAE6EFE38C375A4250E3582DCCAFAAF3E25A6A6143F656DE1E70922BD3A8F
SHA-512:	9B582B9DA040AC520A98509AB99F91775FFF65A30AB0A63A8C11906FC4CF773A14C5EEF115729D133F2863DBA9CE03FB06E095BA0F8013BF66F4DF10D5376673
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2023-03-17T08:11:24">.. Build: 16.0.16310.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuthorityU

File type:	data
Entropy (8bit):	6.730643971908688
TrID:	Microsoft OneNote note (16024/2) 100.00%
File name:	Insight_Medical_Publishing_4.one
File size:	120428
MD5:	0c521381f0d5fe36e9dbf63e9012067d
SHA1:	29d169b2eca785dc579651b7e1ed2cb9ad854f37
SHA256:	332107452ecfb3cab8af719978c4c2acc8325219b57eceb77fc2ea77529ff92d
SHA512:	cf0b022919e0df0e320e2c08e1da2662e1000f78cf1febeae00af28790aa1988205e6c586ba4fd504b3368bf206bbba7753f8aae6194a55a0688b3e223b62997
SSDEEP:	1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXp:1BoC+tCYvSMVnte8ZP1Y6JZ
TLSH:	8FC33BF1A8025C0AE123C976B1FB661399D052ED42283B2BF87D507DD978A20D5DD8EF
File Content Preview:	.R\{...M..Sx.).......i.E......&.................?......I...................................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:11:49.553107977 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.553170919 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:49.553322077 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.561207056 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:49.561239958 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.134738922 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.134954929 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.139224052 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.139254093 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.139848948 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.194025993 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.430511951 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.430569887 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718293905 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718365908 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718377113 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718406916 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718445063 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.718481064 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.718513012 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.772311926 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993554115 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993578911 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993630886 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993674040 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993702888 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993724108 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993738890 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993755102 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993757010 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993772030 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993782997 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993807077 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993854046 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:50.993916035 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:50.993932009 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.037832975 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269156933 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269191027 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269273043 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269324064 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269397020 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269442081 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269495964 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269553900 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269555092 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269582033 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269591093 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269643068 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269678116 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269685984 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269722939 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269805908 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269825935 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269871950 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.269946098 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.269967079 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.313996077 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.314233065 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.314266920 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.366060019 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.544941902 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.544970036 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545031071 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545084000 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545100927 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545166969 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545219898 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545252085 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545264959 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545325041 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545336962 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545344114 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545372963 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545387030 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545420885 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545430899 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545459986 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545530081 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545542955 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545667887 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545737982 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545752048 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545762062 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545789957 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.545842886 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.545948029 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546036959 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546049118 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546072006 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546135902 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546243906 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546325922 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546343088 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546360016 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546421051 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546437025 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546489954 CET	49702	443	192.168.2.7	203.26.41.131
Mar 17, 2023 09:11:51.546500921 CET	443	49702	203.26.41.131	192.168.2.7
Mar 17, 2023 09:11:51.546535015 CET	443	49702	203.26.41.131	192.168.2.7

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 17, 2023 09:11:49.227663040 CET	50330	53	192.168.2.7	8.8.8.8
Mar 17, 2023 09:11:49.539346933 CET	53	50330	8.8.8.8	192.168.2.7

Target ID:	0
Start time:	09:11:21
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_4.one
Imagebase:	0x190000
File size:	1676072 bytes
MD5 hash:	8D7E99CB358318E1F38803C9E6B67867
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Target ID:	10
Start time:	09:11:46
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Imagebase:	0xdd0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.350591261.00000000056C7000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.340162075.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.339776726.00000000056BD000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000002.354227381.00000000056C8000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.341613942.00000000056C4000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 0000000A.00000003.349899661.000000000588F000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
Reputation:	high

Target ID:	11
Start time:	09:11:51
Start date:	17/03/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad16F69.tmp.dll
Imagebase:	0xbf0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	13
Start time:	09:11:56
Start date:	17/03/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BqnZyHskpeTuo\PjkJxfQvhUP.dll"
Imagebase:	0x7ff6c6740000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.571771558.0000000001041000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000D.00000002.572082302.000000000107B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.571413418.0000000001010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security

Target ID:	14
Start time:	09:12:00
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Wow64 process (32bit):	true
Commandline:	/tsr
Imagebase:	0xf30000
File size:	157872 bytes
MD5 hash:	DBCFA6F25577339B877D2305CAD3DEC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Target ID:	15
Start time:	09:12:09
Start date:	17/03/2023
Path:	C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Imagebase:	0xf30000
File size:	157872 bytes
MD5 hash:	DBCFA6F25577339B877D2305CAD3DEC3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Insight_Medical_Publishing_4.one

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Malware Analysis System Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1A820D3C-0F4E-4D92-BB7D-90BF78AE86CD

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000005.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000006.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000007.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000008.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\00000009.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000A.bin (copy)

C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\0000000B.bin (copy)

Windows Analysis Report
Insight_Medical_Publishing_4.one

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre