Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Insight_Medical_Publishing_3.one

Overview

General Information

Sample Name:Insight_Medical_Publishing_3.one
Analysis ID:828495
MD5:0d8f675a79a32d286f8eccb2ff989c91
SHA1:e0796075d09841386c12f37503495c9624a3c393
SHA256:7ef31d3538810c895812e331db91f905693b99b682d062d9d0b4dab5df0da0a2
Tags:one
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • ONENOTE.EXE (PID: 5852 cmdline: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one MD5: 8D7E99CB358318E1F38803C9E6B67867)
    • wscript.exe (PID: 4976 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • regsvr32.exe (PID: 4920 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
        • regsvr32.exe (PID: 3156 cmdline: "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
          • regsvr32.exe (PID: 1652 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OWVpqQATAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2gGXgqQAuAJA="]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Insight_Medical_Publishing_3.oneJoeSecurity_MalOneNoteYara detected Malicious OneNoteJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
    • 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x3a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x962:$jsp4: public
    • 0xfa2:$jsp4: public
    • 0x1e6a:$jsp4: public
    • 0x2822:$jsp4: public
    • 0x2e62:$jsp4: public
    • 0x4322:$jsp4: public
    • 0x4962:$jsp4: public
    • 0x61c:$asp_payload11: wscript.shell
    • 0x24dc:$asp_payload11: wscript.shell
    • 0x3fdc:$asp_payload11: wscript.shell
    • 0x204:$asp_multi_payload_one1: createobject
    • 0x2f2:$asp_multi_payload_one1: createobject
    • 0x36a:$asp_multi_payload_one1: createobject
    • 0x3c4:$asp_multi_payload_one1: createobject
    • 0x600:$asp_multi_payload_one1: createobject
    • 0xd66:$asp_multi_payload_one1: createobject
    • 0x20c4:$asp_multi_payload_one1: createobject
    • 0x21b2:$asp_multi_payload_one1: createobject
    • 0x222a:$asp_multi_payload_one1: createobject
    00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0x4ce:$asp_gen_obf1: "+"
    • 0x4fe:$asp_gen_obf1: "+"
    • 0x238e:$asp_gen_obf1: "+"
    • 0x23be:$asp_gen_obf1: "+"
    • 0x3e8e:$asp_gen_obf1: "+"
    • 0x3ebe:$asp_gen_obf1: "+"
    • 0x38fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x3a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x962:$jsp4: public
    • 0xfa2:$jsp4: public
    • 0x1e6a:$jsp4: public
    • 0x2822:$jsp4: public
    • 0x2e62:$jsp4: public
    • 0x4322:$jsp4: public
    • 0x4962:$jsp4: public
    • 0x2e2:$asp_input1: request
    • 0xb10:$asp_input1: request
    • 0xb52:$asp_input1: request
    • 0xc68:$asp_input1: request
    • 0x21a2:$asp_input1: request
    • 0x29d0:$asp_input1: request
    00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0xe066:$asp_gen_obf1: "+"
    • 0xe096:$asp_gen_obf1: "+"
    • 0x154ce:$asp_gen_obf1: "+"
    • 0x154fe:$asp_gen_obf1: "+"
    • 0x1738e:$asp_gen_obf1: "+"
    • 0x173be:$asp_gen_obf1: "+"
    • 0x18e8e:$asp_gen_obf1: "+"
    • 0x18ebe:$asp_gen_obf1: "+"
    • 0x8f00:$tagasp_short2: %>
    • 0x188fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x18a1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0xe4fa:$jsp4: public
    • 0x15962:$jsp4: public
    • 0x15fa2:$jsp4: public
    • 0x16e6a:$jsp4: public
    • 0x17822:$jsp4: public
    • 0x17e62:$jsp4: public
    • 0x19322:$jsp4: public
    • 0x19962:$jsp4: public
    • 0xde7a:$asp_input1: request
    • 0xe6a8:$asp_input1: request
    0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
      • 0xb8fa:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
      • 0xba1a:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
      • 0x14fa:$jsp4: public
      • 0x8962:$jsp4: public
      • 0x8fa2:$jsp4: public
      • 0x9e6a:$jsp4: public
      • 0xa822:$jsp4: public
      • 0xae62:$jsp4: public
      • 0xc322:$jsp4: public
      • 0xc962:$jsp4: public
      • 0x11b4:$asp_payload11: wscript.shell
      • 0x861c:$asp_payload11: wscript.shell
      • 0xa4dc:$asp_payload11: wscript.shell
      • 0xbfdc:$asp_payload11: wscript.shell
      • 0xd9c:$asp_multi_payload_one1: createobject
      • 0xe8a:$asp_multi_payload_one1: createobject
      • 0xf02:$asp_multi_payload_one1: createobject
      • 0xf5c:$asp_multi_payload_one1: createobject
      • 0x1198:$asp_multi_payload_one1: createobject
      • 0x18fe:$asp_multi_payload_one1: createobject
      • 0x8204:$asp_multi_payload_one1: createobject
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.regsvr32.exe.1220000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        12.2.regsvr32.exe.1220000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          11.2.regsvr32.exe.f10000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            11.2.regsvr32.exe.f10000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

              Sigma Signatures

              Malware Analysis System Evasion

              barindex
              Sigma detected: Run temp file via regsvr32
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf", ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 4976, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll, ProcessId: 4920, ProcessName: regsvr32.exe

              Snort Signatures

              Timestamp:192.168.2.366.228.32.314968670802404330 03/17/23-09:17:28.925917
              SID:2404330
              Source Port:49686
              Destination Port:7080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3104.168.155.1434969480802404302 03/17/23-09:18:01.076339
              SID:2404302
              Source Port:49694
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3182.162.143.56496874432404312 03/17/23-09:17:34.182038
              SID:2404312
              Source Port:49687
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.391.121.146.474968480802404344 03/17/23-09:17:19.192203
              SID:2404344
              Source Port:49684
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.3167.172.199.1654968980802404308 03/17/23-09:17:48.416747
              SID:2404308
              Source Port:49689
              Destination Port:8080
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: Insight_Medical_Publishing_3.oneReversingLabs: Detection: 30%
              Source: Insight_Medical_Publishing_3.oneVirustotal: Detection: 41%Perma Link
              Antivirus detection for URL or domain
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eBAvira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/xAvira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/lAvira URL Cloud: Label: malware
              Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/hAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ITAvira URL Cloud: Label: malware
              Source: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/nAvira URL Cloud: Label: malware
              Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
              Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
              Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
              Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/mwollpl/Avira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
              Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/7Avira URL Cloud: Label: malware
              Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
              Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
              Source: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/Avira URL Cloud: Label: malware
              Source: https://167.172.199.165:8080/8Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/IAvira URL Cloud: Label: malware
              Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZrAvira URL Cloud: Label: malware
              Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
              Source: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01Avira URL Cloud: Label: malware
              Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
              Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
              Source: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_Avira URL Cloud: Label: malware
              Source: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/Avira URL Cloud: Label: malware
              Source: https://163.44.196.120:8080/3Avira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: penshorn.orgVirustotal: Detection: 10%Perma Link
              Source: https://159.89.202.34/Virustotal: Detection: 18%Perma Link
              Source: http://softwareulike.com/cWIYxWMPkK/Virustotal: Detection: 16%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllReversingLabs: Detection: 58%
              Source: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)ReversingLabs: Detection: 58%
              Source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OWVpqQATAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2gGXgqQAuAJA="]}
              Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2
              Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D28 FindFirstFileExW,

              Software Vulnerabilities

              barindex
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
              Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443
              Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49687 -> 182.162.143.56:443
              Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49684 -> 91.121.146.47:8080
              Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49686 -> 66.228.32.31:7080
              Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49689 -> 167.172.199.165:8080
              Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49694 -> 104.168.155.143:8080
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 91.121.146.47:8080
              Source: Malware configuration extractorIPs: 66.228.32.31:7080
              Source: Malware configuration extractorIPs: 182.162.143.56:443
              Source: Malware configuration extractorIPs: 187.63.160.88:80
              Source: Malware configuration extractorIPs: 167.172.199.165:8080
              Source: Malware configuration extractorIPs: 164.90.222.65:443
              Source: Malware configuration extractorIPs: 104.168.155.143:8080
              Source: Malware configuration extractorIPs: 163.44.196.120:8080
              Source: Malware configuration extractorIPs: 160.16.142.56:8080
              Source: Malware configuration extractorIPs: 159.89.202.34:443
              Source: Malware configuration extractorIPs: 159.65.88.10:8080
              Source: Malware configuration extractorIPs: 186.194.240.217:443
              Source: Malware configuration extractorIPs: 149.56.131.28:8080
              Source: Malware configuration extractorIPs: 72.15.201.15:8080
              Source: Malware configuration extractorIPs: 1.234.2.232:8080
              Source: Malware configuration extractorIPs: 82.223.21.224:8080
              Source: Malware configuration extractorIPs: 206.189.28.199:8080
              Source: Malware configuration extractorIPs: 169.57.156.166:8080
              Source: Malware configuration extractorIPs: 107.170.39.149:8080
              Source: Malware configuration extractorIPs: 103.43.75.120:443
              Source: Malware configuration extractorIPs: 91.207.28.33:8080
              Source: Malware configuration extractorIPs: 213.239.212.5:443
              Source: Malware configuration extractorIPs: 45.235.8.30:8080
              Source: Malware configuration extractorIPs: 119.59.103.152:8080
              Source: Malware configuration extractorIPs: 164.68.99.3:8080
              Source: Malware configuration extractorIPs: 95.217.221.146:8080
              Source: Malware configuration extractorIPs: 153.126.146.25:7080
              Source: Malware configuration extractorIPs: 197.242.150.244:8080
              Source: Malware configuration extractorIPs: 202.129.205.3:8080
              Source: Malware configuration extractorIPs: 103.132.242.26:8080
              Source: Malware configuration extractorIPs: 139.59.126.41:443
              Source: Malware configuration extractorIPs: 110.232.117.186:8080
              Source: Malware configuration extractorIPs: 183.111.227.137:8080
              Source: Malware configuration extractorIPs: 5.135.159.50:443
              Source: Malware configuration extractorIPs: 201.94.166.162:443
              Source: Malware configuration extractorIPs: 103.75.201.2:443
              Source: Malware configuration extractorIPs: 79.137.35.198:8080
              Source: Malware configuration extractorIPs: 172.105.226.75:8080
              Source: Malware configuration extractorIPs: 94.23.45.86:4143
              Source: Malware configuration extractorIPs: 115.68.227.76:8080
              Source: Malware configuration extractorIPs: 153.92.5.27:8080
              Source: Malware configuration extractorIPs: 167.172.253.162:8080
              Source: Malware configuration extractorIPs: 188.44.20.25:443
              Source: Malware configuration extractorIPs: 147.139.166.154:8080
              Source: Malware configuration extractorIPs: 129.232.188.93:443
              Source: Malware configuration extractorIPs: 173.212.193.249:8080
              Source: Malware configuration extractorIPs: 185.4.135.165:8080
              Source: Malware configuration extractorIPs: 45.176.232.124:443
              Source: Joe Sandbox ViewASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
              Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
              Source: global trafficHTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
              Source: Joe Sandbox ViewIP Address: 110.232.117.186 110.232.117.186
              Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
              Source: global trafficTCP traffic: 192.168.2.3:49684 -> 91.121.146.47:8080
              Source: global trafficTCP traffic: 192.168.2.3:49686 -> 66.228.32.31:7080
              Source: global trafficTCP traffic: 192.168.2.3:49689 -> 167.172.199.165:8080
              Source: global trafficTCP traffic: 192.168.2.3:49694 -> 104.168.155.143:8080
              Source: global trafficTCP traffic: 192.168.2.3:49695 -> 163.44.196.120:8080
              Source: global trafficTCP traffic: 192.168.2.3:49696 -> 160.16.142.56:8080
              Source: unknownNetwork traffic detected: IP country count 17
              Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
              Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
              Source: wscript.exe, 00000009.00000003.352083171.000000000543B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.000000000543C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/U
              Source: regsvr32.exe, 0000000C.00000003.423585505.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.12.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: regsvr32.exe, 0000000C.00000003.417229525.0000000001350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8018d46f033f9
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.00000000012FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabn
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
              Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxW
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
              Source: wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345755235.0000000005160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/7
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/I
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
              Source: regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/3
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
              Source: regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/8
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/l
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/mwollpl/
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#
              Source: regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n
              Source: regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.172.199.165:8080/
              Source: regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_
              Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
              Source: regsvr32.exe, 0000000C.00000003.421394475.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/
              Source: regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
              Source: wscript.exe, 00000009.00000003.349639269.000000000538E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349867697.0000000005396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
              Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349438794.0000000005384000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349093361.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349339319.000000000537A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
              Source: regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pe2.162.143.56/
              Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350000568.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354012857.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/
              Source: wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350249586.0000000004B2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350180272.0000000004B29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
              Source: wscript.exe, 00000009.00000003.347225816.00000000050AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFb
              Source: wscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j
              Source: wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349571912.00000000053A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343189350.0000000004FAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347462886.00000000051C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343401747.0000000005065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
              Source: wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
              Source: wscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
              Source: unknownHTTP traffic detected: POST /qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
              Source: unknownDNS traffic detected: queries for: penshorn.org
              Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
              Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49683 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49687 version: TLS 1.2

              E-Banking Fraud

              barindex
              Yara detected Emotet
              Source: Yara matchFile source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\ZLTlFkhzfcDaCjB\Jump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180006818
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000B878
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180007110
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180014555
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00EF0000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5709C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4CC14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47D6C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4263C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48BC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58FC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43CF4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F448FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F490F8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F520E0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F414D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F418DC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F8C4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55CC4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F480CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F508CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A8B0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F694BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4DCB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F498AC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4AC94
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44C84
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5CC84
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55880
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D474
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F56C70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B07C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F42C78
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4C078
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5B460
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F65450
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C058
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47840
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C44C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F51030
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5EC30
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B83C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F6181C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F41000
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F49408
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47C08
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5D5F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F515C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F495BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5BDA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F47530
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5B130
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F46138
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F51924
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54D20
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5AD28
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F69910
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57518
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F68500
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5610C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F492F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F596D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5EAC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D6CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43ABC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A6BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4AAB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44EB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4BE90
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54A90
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48A8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F64E8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43274
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F50A70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A660
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F65C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4B258
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5A244
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4BA2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58A2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F50E2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5662C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44214
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4461C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F68A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F43E0C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5020C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58E08
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A7F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F627EC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F42FD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F433D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53FD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F597CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48FB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4FFB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58BB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4DBA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F41B94
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F55384
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5D770
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5CF70
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4F77C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48378
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5E750
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4975C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F44758
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4D33C
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4EF14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F53B14
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5E310
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F54F18
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_01210000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B276A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B30618
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16E42
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B373A4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B163F4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23FD0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18BC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28FC8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B19B79
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B208CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1CC14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1640A
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17D6C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B32AB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1AAB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14EB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13ABC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A6BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1BE90
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24A90
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B32E84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18A8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B34E8C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B192F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B336FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B296D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2EAC0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D6CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1263C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1BA2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28A2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B20E2C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2662C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14214
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1461C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38A00
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28E08
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13E0C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2020C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B20A70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13274
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1A660
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B258
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F65C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A244
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B36E48
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18FB0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1FFB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B28BB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1DBA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B347A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B11B94
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25384
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1A7F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2FFFC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B327EC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B12FD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B133D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B297CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D33C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2E310
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38310
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1EF14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23B14
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24F18
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B35B1C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2D770
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2CF70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B18378
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F77C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38B68
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2E750
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14758
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1975C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A8B0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1DCB8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B394BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B344A8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B198AC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1AC94
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B31494
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2709C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25880
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B14C84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2CC84
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3488C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B13CF4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B190F8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B148FC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B220E0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B114D4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B23CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B31CD4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B118DC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1F8C4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B25CC4
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B180CC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B21030
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2EC30
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B83C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17410
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B3181C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B11000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2A000
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B19408
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17C08
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B26C70
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1D474
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B12C78
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1C078
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B1B07C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2B460
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B35868
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B35450
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C058
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B17840
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C44C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B195BC
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2BDA0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2D5F0
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B215C8
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2B130
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16138
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B24D20
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B21924
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2AD28
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B39910
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B27518
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B38500
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B32100
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2610C
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B34D64
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
              Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
              Source: Insight_Medical_Publishing_3.oneReversingLabs: Detection: 30%
              Source: Insight_Medical_Publishing_3.oneVirustotal: Detection: 41%
              Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
              Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\Documents\{FEEE3FA4-F7B3-4CCE-AC94-72B79C0B1135}Jump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile created: C:\Users\user\AppData\Local\Temp\{1A5C047D-3D28-4AA6-A11A-87D0AFF6CFBA} - OProcSessId.datJump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winONE@9/11@1/49
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEFile read: C:\Program Files (x86)\desktop.iniJump to behavior
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F48BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
              Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
              Source: Binary string: ain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdbain.pdb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: OneNote15WatsonLog.etl.0.dr
              Source: Binary string: P:\Target\x86\ship\onenote\x-none\onmain.pdb source: OneNote15WatsonLog.etl.0.dr
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180005C69 push rdi; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800056DD push rdi; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A0FC push ebp; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F580D7 push ebp; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F46CDE push esi; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F46C9F pushad ; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A1D2 push ebp; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57987 push ebp; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F58157 push ebp; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F49D51 push ebp; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D4E push ebp; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D3C push ebp; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57D25 push 4D8BFFFFh; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F57EAF push 458BCC5Ah; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F49E8B push eax; retf
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F4A26E push ebp; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00F5C731 push esi; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B2C731 push esi; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16C9F pushad ; ret
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B16CDE push esi; iretd
              Source: C:\Windows\System32\regsvr32.exeCode function: 12_2_02B36D34 push edi; ret
              Source: rad38C2A.tmp.dll.9.drStatic PE information: section name: _RDATA
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dllJump to dropped file
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)Jump to dropped file
              Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)Jump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Hides that the sample has been downloaded from the Internet (zone.identifier)
              Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll:Zone.Identifier read attributes | delete
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\wscript.exe TID: 4956Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\regsvr32.exe TID: 1540Thread sleep time: -270000s >= -30000s
              Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.0 %
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
              Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180008D28 FindFirstFileExW,
              Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
              Source: regsvr32.exe, 0000000C.00000003.451113819.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012AC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0P/
              Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
              Source: wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: wscript.exe, 00000009.00000002.353992148.00000000053FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: regsvr32.exe, 0000000C.00000003.424429920.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.420606431.00000000012F0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451649748.00000000012F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_000000018000A878 GetProcessHeap,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
              Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 203.26.41.131 443
              Source: C:\Windows\SysWOW64\wscript.exeDomain query: penshorn.org
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 159.89.202.34 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
              Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_00000001800070A0 cpuid
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\System32\regsvr32.exeCode function: 11_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

              Stealing of Sensitive Information

              barindex
              Yara detected Malicious OneNote
              Source: Yara matchFile source: Insight_Medical_Publishing_3.one, type: SAMPLE
              Yara detected Emotet
              Source: Yara matchFile source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 11.2.regsvr32.exe.f10000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected Malicious OneNote
              Source: Yara matchFile source: Insight_Medical_Publishing_3.one, type: SAMPLE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Scripting              		1
              DLL Side-Loading              		111
              Process Injection              		21
              Masquerading              		OS Credential Dumping1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium11
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Exploitation for Client Execution              		Boot or Logon Initialization Scripts1
              DLL Side-Loading              		1
              Virtualization/Sandbox Evasion              		LSASS Memory121
              Security Software Discovery              		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
              Non-Standard Port              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
              Process Injection              		Security Account Manager1
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Ingress Tool Transfer              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Scripting              		NTDS2
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer3
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Hidden Files and Directories              		LSA Secrets1
              Remote System Discovery              		SSHKeyloggingData Transfer Size Limits114
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Obfuscated Files or Information              		Cached Domain Credentials2
              File and Directory Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Regsvr32              		DCSync25
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828495 Sample: Insight_Medical_Publishing_3.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 33 129.232.188.93 xneeloZA South Africa 2->33 35 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->35 37 36 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 53 7 other signatures 2->53 10 ONENOTE.EXE 21 23 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        dnsIp6 45 penshorn.org 203.26.41.131, 443, 49683 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->45 29 C:\Users\user\AppData\...\rad38C2A.tmp.dll, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->31 dropped 59 System process connects to network (likely due to code injection or exploit) 12->59 17 regsvr32.exe 12->17         started        file7 signatures8 process9 process10 19 regsvr32.exe 2 17->19         started        file11 27 C:\Windows\...behaviorgraphJcmgWEWTZrc.dll (copy), PE32+ 19->27 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->55 23 regsvr32.exe 19->23         started        signatures12 process13 dnsIp14 39 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 23->39 41 91.121.146.47, 49684, 8080 OVHFR France 23->41 43 8 other IPs or domains 23->43 57 System process connects to network (likely due to code injection or exploit) 23->57 signatures15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Insight_Medical_Publishing_3.one31%ReversingLabsScript-WScript.Trojan.OneNote
              Insight_Medical_Publishing_3.one41%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll58%ReversingLabsWin64.Trojan.Emotet
              C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)58%ReversingLabsWin64.Trojan.Emotet

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              12.2.regsvr32.exe.1220000.0.unpack100%AviraHEUR/AGEN.1215476Download File
              11.2.regsvr32.exe.f10000.0.unpack100%AviraHEUR/AGEN.1215476Download File

              Domains

              SourceDetectionScannerLabelLink
              penshorn.org11%VirustotalBrowse
              windowsupdatebg.s.llnwi.net0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://182.162.143.56/0%URL Reputationsafe
              https://182.162.143.56/0%URL Reputationsafe
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eB100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://159.89.202.34/19%VirustotalBrowse
              http://softwareulike.com/cWIYxWMPkK/16%VirustotalBrowse
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/x100%Avira URL Cloudmalware
              https://pe2.162.143.56/0%Avira URL Cloudsafe
              http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
              https://159.89.202.34/100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
              https://91.121.146.47:8080/100%Avira URL Cloudmalware
              https://187.172.199.165:8080/0%Avira URL Cloudsafe
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/0%Avira URL Cloudsafe
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(0%Avira URL Cloudsafe
              https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
              https://167.172.199.165:8080/100%Avira URL Cloudmalware
              https://167.172.199.165:8080/l100%Avira URL Cloudmalware
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/h100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/IT100%Avira URL Cloudmalware
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll100%Avira URL Cloudmalware
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/n100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFb0%Avira URL Cloudsafe
              http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
              https://penshorn.org/0%Avira URL Cloudsafe
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
              https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
              https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
              https://167.172.199.165:8080/mwollpl/100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j0%Avira URL Cloudsafe
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
              https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxWMPkK/7100%Avira URL Cloudmalware
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/100%Avira URL Cloudmalware
              https://167.172.199.165:8080/8100%Avira URL Cloudmalware
              https://159.89.202.34/I100%Avira URL Cloudmalware
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZr100%Avira URL Cloudmalware
              http://softwareulike.com/cWIYxW0%Avira URL Cloudsafe
              http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
              https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01100%Avira URL Cloudmalware
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_100%Avira URL Cloudmalware
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://160.16.142.56:8080/0%Avira URL Cloudsafe
              https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/100%Avira URL Cloudmalware
              https://163.44.196.120:8080/3100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              penshorn.org
              		203.26.41.131
              		truetrueunknown
              windowsupdatebg.s.llnwi.net
              		178.79.242.128
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/true
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/admin/Ses8712iGR8du/true
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • 16%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/eBregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • 19%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/regsvr32.exe, 0000000C.00000003.451389170.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/#regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.421394475.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480911858.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012E1000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/xregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://pe2.162.143.56/regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451389170.00000000012C4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.480911858.00000000012C4000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://187.172.199.165:8080/regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://160.16.142.56:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl//6(regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/lregsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/hregsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/ITregsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://91.121.146.47:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/000regsvr32.exe, 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllwscript.exe, 00000009.00000003.349639269.000000000538E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349867697.0000000005396000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/nregsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbwscript.exe, 00000009.00000003.347225816.00000000050AC000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/wscript.exe, 00000009.00000003.349954279.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.350000568.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354012857.000000000540A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351723775.0000000005423000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.354073376.0000000005423000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://www.gomespontes.com.br/logs/pd/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/mwollpl/regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jwscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWMPkK/7wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345755235.0000000005160000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, wscript.exe, 00000009.00000002.353832790.00000000053B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349674998.00000000053B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347830775.0000000005237000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347700894.0000000005210000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EA0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.335628212.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.338453916.0000000004EF0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345054891.00000000050AC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://182.162.143.56/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/l/regsvr32.exe, 0000000C.00000003.451113819.00000000012E1000.00000004.00000020.00020000.00000000.sdmptrue
              • Avira URL Cloud: malware
              		unknown
              https://167.172.199.165:8080/8regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.480859658.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/Iregsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllNZrwscript.exe, 00000009.00000003.349283109.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349438794.0000000005384000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349093361.000000000536E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349339319.000000000537A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://softwareulike.com/cWIYxWwscript.exe, 00000009.00000003.347973913.000000000529E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348372206.00000000052DD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348646615.0000000005321000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348586602.00000000052F4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348295456.00000000052AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351610411.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000002.353640909.0000000005331000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348732137.0000000005328000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348458187.00000000052EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348118755.00000000052A6000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ozmeydan.com/cekici/9/xMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://187.63.160.88:80/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/01regsvr32.exe, 0000000C.00000003.480788885.000000000334E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.580495908.000000000334F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, 00000009.00000003.348896452.0000000005346000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337749840.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345265478.0000000005158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.351239933.00000000052BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.342436422.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.340495152.0000000004F55000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348209733.0000000005208000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349520694.00000000053A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347622434.000000000512D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345132720.00000000050C0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345037298.000000000510B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.345791230.00000000050EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343112035.0000000004FCF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337309001.0000000000AB7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.337545792.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.349571912.00000000053A7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343189350.0000000004FAE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.347462886.00000000051C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000009.00000003.343401747.0000000005065000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000009.00000003.350048423.0000000004B54000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://66.228.32.31:7080/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/_regsvr32.exe, 0000000C.00000003.451389170.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000003.451113819.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://159.89.202.34/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://160.16.142.56:8080/regsvr32.exe, 0000000C.00000002.579752485.00000000012FE000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://164.90.222.65/qudwkmxm/xmonncmqfa/dpvphsc/beehnbizxmwollpl/regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://163.44.196.120:8080/3regsvr32.exe, 0000000C.00000002.579752485.000000000133A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              110.232.117.186
              		unknownAustralia
              		56038RACKCORP-APRackCorpAUtrue
              103.132.242.26
              		unknownIndia
              		45117INPL-IN-APIshansNetworkINtrue
              104.168.155.143
              		unknownUnited States
              		54290HOSTWINDSUStrue
              79.137.35.198
              		unknownFrance
              		16276OVHFRtrue
              115.68.227.76
              		unknownKorea Republic of
              		38700SMILESERV-AS-KRSMILESERVKRtrue
              163.44.196.120
              		unknownSingapore
              		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
              206.189.28.199
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              203.26.41.131
              		penshorn.orgAustralia
              		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
              107.170.39.149
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              66.228.32.31
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              197.242.150.244
              		unknownSouth Africa
              		37611AfrihostZAtrue
              185.4.135.165
              		unknownGreece
              		199246TOPHOSTGRtrue
              183.111.227.137
              		unknownKorea Republic of
              		4766KIXS-AS-KRKoreaTelecomKRtrue
              45.176.232.124
              		unknownColombia
              		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
              169.57.156.166
              		unknownUnited States
              		36351SOFTLAYERUStrue
              164.68.99.3
              		unknownGermany
              		51167CONTABODEtrue
              139.59.126.41
              		unknownSingapore
              		14061DIGITALOCEAN-ASNUStrue
              167.172.253.162
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              167.172.199.165
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              202.129.205.3
              		unknownThailand
              		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
              147.139.166.154
              		unknownUnited States
              		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
              153.92.5.27
              		unknownGermany
              		47583AS-HOSTINGERLTtrue
              159.65.88.10
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              172.105.226.75
              		unknownUnited States
              		63949LINODE-APLinodeLLCUStrue
              164.90.222.65
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              213.239.212.5
              		unknownGermany
              		24940HETZNER-ASDEtrue
              5.135.159.50
              		unknownFrance
              		16276OVHFRtrue
              186.194.240.217
              		unknownBrazil
              		262733NetceteraTelecomunicacoesLtdaBRtrue
              119.59.103.152
              		unknownThailand
              		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
              159.89.202.34
              		unknownUnited States
              		14061DIGITALOCEAN-ASNUStrue
              91.121.146.47
              		unknownFrance
              		16276OVHFRtrue
              160.16.142.56
              		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
              201.94.166.162
              		unknownBrazil
              		28573CLAROSABRtrue
              91.207.28.33
              		unknownKyrgyzstan
              		39819PROHOSTKGtrue
              103.75.201.2
              		unknownThailand
              		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
              103.43.75.120
              		unknownJapan20473AS-CHOOPAUStrue
              188.44.20.25
              		unknownMacedonia
              		57374GIV-ASMKtrue
              45.235.8.30
              		unknownBrazil
              		267405WIKINETTELECOMUNICACOESBRtrue
              153.126.146.25
              		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
              72.15.201.15
              		unknownUnited States
              		13649ASN-VINSUStrue
              187.63.160.88
              		unknownBrazil
              		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
              82.223.21.224
              		unknownSpain
              		8560ONEANDONE-ASBrauerstrasse48DEtrue
              173.212.193.249
              		unknownGermany
              		51167CONTABODEtrue
              95.217.221.146
              		unknownGermany
              		24940HETZNER-ASDEtrue
              149.56.131.28
              		unknownCanada
              		16276OVHFRtrue
              182.162.143.56
              		unknownKorea Republic of
              		3786LGDACOMLGDACOMCorporationKRtrue
              1.234.2.232
              		unknownKorea Republic of
              		9318SKB-ASSKBroadbandCoLtdKRtrue
              129.232.188.93
              		unknownSouth Africa
              		37153xneeloZAtrue
              94.23.45.86
              		unknownFrance
              		16276OVHFRtrue

              General Information

              Joe Sandbox Version:37.0.0 Beryl
              Analysis ID:828495
              Start date and time:2023-03-17 09:15:06 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 0s
              Hypervisor based Inspection enabled:false
              Report type:light
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:18
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:Insight_Medical_Publishing_3.one
              Detection:MAL
              Classification:mal100.troj.expl.evad.winONE@9/11@1/49
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 50.2% (good quality ratio 42.4%)
              • Quality average: 60.5%
              • Quality standard deviation: 35.6%
              HCA Information:
              • Successful, ratio: 89%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .one

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
              • TCP Packets have been reduced to 100
              • Excluded IPs from analysis (whitelisted): 93.184.221.240, 95.140.230.192
              • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:16:48API Interceptor2x Sleep call for process: wscript.exe modified
              09:17:21API Interceptor10x Sleep call for process: regsvr32.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\regsvr32.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):62582
              Entropy (8bit):7.996063107774368
              Encrypted:true
              SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
              MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
              SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
              SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
              SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
              Malicious:false
              Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Windows\System32\regsvr32.exe
              File Type:data
              Category:modified
              Size (bytes):290
              Entropy (8bit):2.9542848029467006
              Encrypted:false
              SSDEEP:6:kKNg1ry/CN+SkQlPlEGYRMY9z+4KlDA3RUe/:WJCpkPlE99SNxAhUe/
              MD5:D9F329065228D1052F80DFD86FBAF630
              SHA1:BEB453F722F5DA26BAB114412369BC790455C431
              SHA-256:4B5C31C51235D3A2F1AFA5BCE16D41AA2DA95014B493C526637BE6E1865EF2EB
              SHA-512:BF037A5AFFF2DB2BDA7BC204BEBAE79192DC1DF823C7496BD669ECE3395ACD01BF5C9461666A32C9F2E679665EE7068EA9049E51181FCF454A7033F34803DF55
              Malicious:false
              Preview:p...... .........1...X..(....................................................... ..........).K..................v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

              C:\Users\user\AppData\Local\Microsoft\OneNote\16.0\cache\header

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              File Type:Matlab v4 mat-file (little endian) \340\004, numeric, rows 262223750, columns 0
              Category:dropped
              Size (bytes):72
              Entropy (8bit):2.106463217645438
              Encrypted:false
              SSDEEP:3:ulXH+lS8TcRaAqlAaRtl:KelS8Tc8TX
              MD5:6D35FE979A2AF81158578D8FF8AA4390
              SHA1:4FACFE5FFF9553E926FC82615BBFF18F47876715
              SHA-256:41E5436CD2453FF8DC3D187CCC680CE58212D72C77CCA0E632B51085BDE7ECED
              SHA-512:947226E35A9BEC0F93AE0467AC23DBE81EFC681A48F3FE6F49F70A2B0BDD35AB533165240D442C2492EA57D29CFA403B848FF8E9BB6EFEADAB507C12DEAE4CEE
              Malicious:false
              Preview:.....7..........$...................................T...................

              C:\Users\user\AppData\Local\Temp\OneNote15WatsonLog.etl

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              File Type:data
              Category:dropped
              Size (bytes):32768
              Entropy (8bit):0.7053394102816869
              Encrypted:false
              SSDEEP:48:geymLsJE+mZc8/hzSlZWV6dNg6qnuaLvOlSosUZKg9eiDx8lW:NiuPZGlZWV6da6+uazODZKDiDv
              MD5:DD5E5ED496A7861D9B6F291070CC5F5B
              SHA1:697CDBB2F039943BE9EB82B52D5711709BC998E1
              SHA-256:B1D13B637698D27B702BD7797D61AD1B2A297FDF8758B5E653DF2AE3961612D8
              SHA-512:486214A36237BAB2DC7925CDCBA1F799A3F790C0BB18FBABEEECA7C47568376E3E520DD185F7D53878C2B955B7D2CC122DAA4EA377B221BF6E5D2AD313670EF1
              Malicious:false
              Preview:.@..`....................................................................................t...............@.......B...........X..Zb..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................[...... .....p....X..........O.n.e.N.o.t.e. .W.a.t.s.o.n. .L.o.g...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.n.e.N.o.t.e.1.5.W.a.t.s.o.n.L.o.g...e.t.l.......P.P.............................................................................7.B..t......17134.1.x86fre.rs4_release.180410-1804......$.@..t......U......@..%|n.z.....P:\Target\x86\ship\onenote\x-none\onmain.pdb.ain.pdb.0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.............................................

              C:\Users\user\AppData\Local\Temp\click.wsf

              Download File
              Process:C:\Windows\SysWOW64\wscript.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):9
              Entropy (8bit):2.94770277922009
              Encrypted:false
              SSDEEP:3:tWn:tWn
              MD5:07F5A0CFFD9B2616EA44FB90CCC04480
              SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
              SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
              SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
              Malicious:true
              Preview:badum tss

              C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll

              Download File
              Process:C:\Windows\SysWOW64\wscript.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):316928
              Entropy (8bit):7.337848702590508
              Encrypted:false
              SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
              MD5:BFC060937DC90B273ECCB6825145F298
              SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
              SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
              SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 58%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\OneNote\16.0\Preferences.dat

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              File Type:data
              Category:dropped
              Size (bytes):25280
              Entropy (8bit):0.5433410247296293
              Encrypted:false
              SSDEEP:48:PbnnYsDoODcOOErE5+9olgk8Z4GQTaza2egb:PbzoUOkI+6lAUaza2ee
              MD5:D0642277D4B13D42E7606EF972F5AFE9
              SHA1:ED016803728F5DDC3EA7346683C1F6D93A26F90B
              SHA-256:BB4AC658CDF79F055414BB6981C415ABB9CA64C6CF47D1895FA1D7A8E0A3BEAE
              SHA-512:7FB1F165197D53E3B0CAE3ABDBD19755AFB0F61CA2E602FCC1A14828248E69A607B4CCF84A1C2E1A234F69C99DDAE7823F4044B7A572E3337526BC62E6A90AE3
              Malicious:false
              Preview:.%c....L..=../\.......G...S.h.................?.....I.......*...*...*...*...........................................................................................h............................b...............i.....N..{..j.............S..L.b.$..+.............................7...7...7...7..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\36a44befa49650d0.customDestinations-ms (copy)

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              File Type:data
              Category:dropped
              Size (bytes):3873
              Entropy (8bit):3.514272379585467
              Encrypted:false
              SSDEEP:48:N8dQdO1aMIFVbqzqgdCDDGTCDfodRdQdO1aMh7+xGqzWk7dCDGWG5CDdZ0tgH:oKiqfGaoFqLZhgO4
              MD5:9AC073B56A8C9E131C96CEA3E1D410B2
              SHA1:EA91260019132F020F365CDF5201C58D0ED6149E
              SHA-256:F5CA8F18F25E2A9B8F571C4A721E53DC636AD5D4688E240104680352E31B41AE
              SHA-512:A6615C16F9E199B00F4CF381B66BD936BFC21DE93129CD54E5D92CCACB81DEBA556D7F5E3CDE3711B93CD33CC58EC9828A8D372AE5B6D8D0FF3127C77A74115A
              Malicious:false
              Preview:...................................FL..................F.@.. .....Q{....,1..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.qV......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.qV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.qV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZUNH4RPCMTORJA8SP86T.temp

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              File Type:data
              Category:dropped
              Size (bytes):3873
              Entropy (8bit):3.514272379585467
              Encrypted:false
              SSDEEP:48:N8dQdO1aMIFVbqzqgdCDDGTCDfodRdQdO1aMh7+xGqzWk7dCDGWG5CDdZ0tgH:oKiqfGaoFqLZhgO4
              MD5:9AC073B56A8C9E131C96CEA3E1D410B2
              SHA1:EA91260019132F020F365CDF5201C58D0ED6149E
              SHA-256:F5CA8F18F25E2A9B8F571C4A721E53DC636AD5D4688E240104680352E31B41AE
              SHA-512:A6615C16F9E199B00F4CF381B66BD936BFC21DE93129CD54E5D92CCACB81DEBA556D7F5E3CDE3711B93CD33CC58EC9828A8D372AE5B6D8D0FF3127C77A74115A
              Malicious:false
              Preview:...................................FL..................F.@.. .....Q{....,1..X....Q{...(............................P.O. .:i.....+00.../C:\.....................1......U...PROGRA~2.........L.qV......................V.........P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....j.1......P...MICROS~1..R.......P.qV.......]....................m.Q.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.....Z.1......P*...Office16..B.......P.qV.......]......................&.O.f.f.i.c.e.1.6.....b.2.(...qP.. .ONENOTE.EXE.H......qP..qV...............................O.N.E.N.O.T.E...E.X.E.......k...............-.......j...........>.S......C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE....(.W.i.n.d.o.w.s. .+. .N.).../.s.i.d.e.n.o.t.e.<.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e.\.O.f.f.i.c.e.1.6.\.O.N.E.N.O.T.E...E.X.E.........%ProgramFiles%\Microsoft Office\Office16\ONENOTE.EXE........................................................

              C:\Windows\System32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll (copy)

              Download File
              Process:C:\Windows\System32\regsvr32.exe
              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
              Category:dropped
              Size (bytes):316928
              Entropy (8bit):7.337848702590508
              Encrypted:false
              SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
              MD5:BFC060937DC90B273ECCB6825145F298
              SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
              SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
              SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 58%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

              Static File Info

              General

              File type:data
              Entropy (8bit):6.730628431064467
              TrID:
              • Microsoft OneNote note (16024/2) 100.00%
              File name:Insight_Medical_Publishing_3.one
              File size:120428
              MD5:0d8f675a79a32d286f8eccb2ff989c91
              SHA1:e0796075d09841386c12f37503495c9624a3c393
              SHA256:7ef31d3538810c895812e331db91f905693b99b682d062d9d0b4dab5df0da0a2
              SHA512:d1d81b41e35469ed748fb96998cdbfdaeffd7de481dc12486bd383d1e1e602a24c44c5e0ff4c0a016f0a12afee0a5d36a91f1c64c504918652ee40273b96141a
              SSDEEP:1536:RDBoTVdaeNtuXndCrJJmT4HVnteV4FrdMiYcx7bfCb6HPdnXE:1BoC+tCYvSMVnte8ZP1Y6JU
              TLSH:C3C33BF1A8025C0AE123C976B1FB661399D051ED42283B2BF87D507DD978A20D6DD8EF
              File Content Preview:.R\{...M..Sx.).......i.E......&.................?......I........*...*...*...*..................................................._fh.*..E.......n..w.....................h...........................8....... ....... ..}...M..t:."S.9.............TL.E..!......

              File Icon

              Icon Hash:d4dce0626664606c

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.366.228.32.314968670802404330 03/17/23-09:17:28.925917TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16496867080192.168.2.366.228.32.31
              192.168.2.3104.168.155.1434969480802404302 03/17/23-09:18:01.076339TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2496948080192.168.2.3104.168.155.143
              192.168.2.3182.162.143.56496874432404312 03/17/23-09:17:34.182038TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749687443192.168.2.3182.162.143.56
              192.168.2.391.121.146.474968480802404344 03/17/23-09:17:19.192203TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23496848080192.168.2.391.121.146.47
              192.168.2.3167.172.199.1654968980802404308 03/17/23-09:17:48.416747TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 5496898080192.168.2.3167.172.199.165

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Mar 17, 2023 09:16:35.903984070 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:35.904050112 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:35.904140949 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:35.935425997 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:35.935475111 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:36.551140070 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:36.551393032 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:36.557358980 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:36.557415962 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:36.557888031 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:36.608803034 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:36.779211044 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:36.779283047 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.158073902 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.158145905 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.158165932 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.158256054 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.158298016 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.158320904 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.202626944 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.457853079 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.457876921 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.457962036 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.457998991 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458026886 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458039045 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458044052 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.458075047 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458103895 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.458115101 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458156109 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.458179951 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.458184958 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.458234072 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.758245945 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758268118 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758343935 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758510113 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.758533955 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758608103 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.758629084 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758707047 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.758722067 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758810043 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758877039 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.758889914 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.758935928 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.759017944 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:37.759037018 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:37.812072039 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060399055 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060420036 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060472012 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060570955 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060602903 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060621977 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060642958 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060646057 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060656071 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060662985 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060672998 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060704947 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060745001 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060760021 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060776949 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060812950 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060832977 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060849905 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060857058 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060890913 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060905933 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060926914 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.060965061 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.060985088 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061007977 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061018944 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061058998 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061074972 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061094999 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061104059 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061120987 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061153889 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061197996 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061196089 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061213970 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061285973 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061321020 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061321020 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061343908 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061362982 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061363935 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061404943 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061422110 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.061448097 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.061481953 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.067372084 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.361330032 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.361689091 CET44349683203.26.41.131192.168.2.3
              Mar 17, 2023 09:16:38.361789942 CET49683443192.168.2.3203.26.41.131
              Mar 17, 2023 09:16:38.361789942 CET49683443192.168.2.3203.26.41.131

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Mar 17, 2023 09:16:35.870768070 CET5897453192.168.2.38.8.8.8
              Mar 17, 2023 09:16:35.890346050 CET53589748.8.8.8192.168.2.3

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Mar 17, 2023 09:16:35.870768070 CET192.168.2.38.8.8.80x11baStandard query (0)penshorn.orgA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Mar 17, 2023 09:16:29.040373087 CET8.8.8.8192.168.2.30x99d2No error (0)windowsupdatebg.s.llnwi.net178.79.242.128A (IP address)IN (0x0001)false
              Mar 17, 2023 09:16:29.040373087 CET8.8.8.8192.168.2.30x99d2No error (0)windowsupdatebg.s.llnwi.net95.140.236.128A (IP address)IN (0x0001)false
              Mar 17, 2023 09:16:35.890346050 CET8.8.8.8192.168.2.30x11baNo error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false
              Mar 17, 2023 09:17:19.883671045 CET8.8.8.8192.168.2.30xb6f0No error (0)windowsupdatebg.s.llnwi.net95.140.230.192A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • penshorn.org
              • 182.162.143.56

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:09:16:08
              Start date:17/03/2023
              Path:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE
              Wow64 process (32bit):true
              Commandline:C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_3.one
              Imagebase:0xc40000
              File size:1676072 bytes
              MD5 hash:8D7E99CB358318E1F38803C9E6B67867
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:moderate

              General

              Target ID:9
              Start time:09:16:33
              Start date:17/03/2023
              Path:C:\Windows\SysWOW64\wscript.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
              Imagebase:0x1260000
              File size:147456 bytes
              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.348706974.000000000518A000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.346224913.0000000005175000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.347622434.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000002.353529377.000000000518B000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.347751255.0000000005182000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000009.00000003.348256209.0000000005189000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
              Reputation:high

              General

              Target ID:10
              Start time:09:16:38
              Start date:17/03/2023
              Path:C:\Windows\SysWOW64\regsvr32.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll
              Imagebase:0xac0000
              File size:20992 bytes
              MD5 hash:426E7499F6A7346F0410DEAD0805586B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:11
              Start time:09:16:38
              Start date:17/03/2023
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline: "C:\Users\user\AppData\Local\Temp\rad38C2A.tmp.dll"
              Imagebase:0x7ff758390000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.334740049.0000000000F41000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.334703858.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              General

              Target ID:12
              Start time:09:16:40
              Start date:17/03/2023
              Path:C:\Windows\System32\regsvr32.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ZLTlFkhzfcDaCjB\GJcmgWEWTZrc.dll"
              Imagebase:0x7ff758390000
              File size:24064 bytes
              MD5 hash:D78B75FC68247E8A63ACBA846182740E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.580204342.0000000002B11000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.579427861.0000000001220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 0000000C.00000002.579579352.0000000001268000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:high

              Disassembly

              No disassembly