Windows Analysis Report
INNOVINC.one

Overview

General Information

Sample Name:	INNOVINC.one
Analysis ID:	828504
MD5:	87e6d4c09602d4ad3fffa14f0859e4ab
SHA1:	8655b4753c3bc2c24c3c4ac43ce51401a9248fc7
SHA256:	ab29f7e0adb4c813c74e69ab272ec00f0e9e1270e50fc3e38ce85c3c679dbc6f
Tags:	one
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Malicious OneNote

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Run temp file via regsvr32

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Stores files to the Windows start menu directory

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: INNOVINC.one	ReversingLabs: Detection: 33%
Source: INNOVINC.one	Virustotal: Detection: 40%			Perma Link

Antivirus detection for URL or domain

Source: https://163.44.196.120:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/z	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ma/	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/h	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/Wk	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/o	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/q	Avira URL Cloud: Label: malware
Source: https://164.90.222.65:443/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/8	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllmg	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/1	Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/u	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM	Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/h	Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/	Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34:443/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/P	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/	Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ryma/	Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/X	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/ram	Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/3	Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM	Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/.com&	Avira URL Cloud: Label: malware
Source: https://159.89.202.34//	Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/	Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM	Avira URL Cloud: Label: malware
Source: https://159.89.202.34/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/3	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll	ReversingLabs: Detection: 58%
Source: C:\Windows\System32\OkzilcUDkTuKjw\FGdLGyDLKydH.dll (copy)	ReversingLabs: Detection: 58%

Source: 0000000D.00000002.576728801.0000000000B88000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5OmSQfQApAIA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx22mRwfQAJAJI="]}

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49709 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe

Code function: 12_2_0000000180008D28 FindFirstFileExW,

12_2_0000000180008D28

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE

Process created: C:\Windows\SysWOW64\wscript.exe

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 203.26.41.131 443	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49709 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49706 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49708 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49711 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49716 -> 104.168.155.143:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 110.232.117.186 110.232.117.186

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.3:49706 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.3:49708 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.3:49711 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.3:49716 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.3:49717 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.3:49718 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.3:49723 -> 159.65.88.10:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65

Source: wscript.exe, 0000000A.00000003.334568472.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352899714.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356606948.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354576518.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.413006720.0000000000C79000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.415130605.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.411622877.0000000000C75000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/do-I
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.415130605.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000003.412584039.0000000002C88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.411622877.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.412386904.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.412706035.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?823f8f3890b32
Source: regsvr32.exe, 0000000D.00000003.477107170.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476681841.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.415029958.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.414520712.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477067849.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/eni
Source: wscript.exe, wscript.exe, 0000000A.00000003.349149787.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339594149.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343579718.0000000005B59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343908189.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344602778.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354466039.0000000005D45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335513504.000000000348A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 0000000A.00000003.342759926.00000000058FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355583344.0000000005900000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cW
Source: wscript.exe, wscript.exe, 0000000A.00000003.349149787.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339594149.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343579718.0000000005B59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351137790.0000000005D47000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343908189.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344602778.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335513504.000000000348A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 0000000A.00000002.356232822.0000000005D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351429202.0000000005D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350714830.0000000005D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://softwareulike.com/cWIYxWX6
Source: wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351359012.0000000005DA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352842359.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356455766.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-
Source: wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343872373.0000000005B85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344273271.0000000005B2B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334568472.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335042827.0000000003474000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339525923.00000000059B6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335328748.00000000034D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356494821.0000000005DEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348685714.0000000005BA5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356232822.0000000005D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.0000000005901000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343210541.0000000005A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.578533764.0000000002D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/3
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/o
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://109.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/h
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.578490449.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/u
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34//
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/X
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.578490449.0000000002CAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ryma/
Source: regsvr32.exe, 0000000D.00000002.578490449.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34:443/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/P
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/$
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.578490449.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://160.16.142.56:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000002.578533764.0000000002D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/
Source: regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000002.578490449.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://163.44.196.120:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/q
Source: regsvr32.exe, 0000000D.00000003.477107170.0000000000BE6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476681841.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477067849.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/
Source: regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ma/
Source: regsvr32.exe, 0000000D.00000002.578490449.0000000002CC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65:443/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000002.578533764.0000000002D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 0000000D.00000003.477067849.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000003.476942364.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://167.172.199.165:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/3
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/8
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/
Source: regsvr32.exe, 0000000D.00000002.576728801.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000003.476942364.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://187.63.160.88:80/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/.com&
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/h
Source: regsvr32.exe, 0000000D.00000003.476942364.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/
Source: regsvr32.exe, 0000000D.00000003.476681841.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.477133614.0000000000C25000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://66.228.32.31:7080/z
Source: regsvr32.exe, 0000000D.00000002.576728801.0000000000B88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 0000000D.00000003.414863014.0000000000C01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/Wk
Source: wscript.exe, wscript.exe, 0000000A.00000003.349149787.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339594149.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343579718.0000000005B59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343908189.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344602778.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335513504.0000000003470000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354466039.0000000005D45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.351149534.0000000005D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350260982.0000000005CE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350598253.0000000005CF1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349734604.0000000005CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dllmg
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 0000000A.00000003.334568472.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334568472.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352899714.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356606948.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356494821.0000000005E00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354576518.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 0000000A.00000003.338607407.0000000005962000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337976965.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343506146.0000000005A9E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339525923.00000000059DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338824444.00000000059AB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337976965.00000000058DE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351005610.0000000005D17000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342759926.00000000058FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343618922.0000000005B23000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337976965.00000000058FF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343410553.0000000005B1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335188810.00000000034BF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334897076.000000000345E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344273271.0000000005B17000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351149534.0000000005D14000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355656591.0000000005B8D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355664779.0000000005B90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.348527228.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343506146.0000000005AC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350260982.0000000005CE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.355246506.00000000034FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 0000000A.00000002.356232822.0000000005D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351429202.0000000005D33000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350714830.0000000005D32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1j
Source: wscript.exe, wscript.exe, 0000000A.00000003.349149787.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339594149.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343579718.0000000005B59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343908189.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344602778.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335513504.0000000003470000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354466039.0000000005D45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351359012.0000000005DA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352114448.0000000005DBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351487137.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/ram
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351359012.0000000005DA1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352842359.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356455766.0000000005DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/
Source: wscript.exe, wscript.exe, 0000000A.00000003.349149787.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338317578.000000000591A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339594149.0000000005A3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343579718.0000000005B59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343908189.0000000005B98000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350699760.0000000005D0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DC9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344602778.0000000005B70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349636349.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337521397.0000000005906000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335513504.0000000003470000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354466039.0000000005D45000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349707190.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338877846.0000000005983000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336637688.00000000034F2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336698256.00000000058A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344413378.0000000005BD9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339080962.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343777034.0000000005B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.351416616.0000000005D8E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351261263.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351082656.0000000005D51000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351316396.0000000005D86000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351039727.0000000005D3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350714830.0000000005D32000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.350901308.0000000005D34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/1
Source: wscript.exe, 0000000A.00000003.351539021.0000000005567000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM

Source: unknown

HTTP traffic detected: POST /hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56

Source: unknown

DNS traffic detected: queries for: penshorn.org

Source: global traffic

HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org

Source: unknown	HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.3:49709 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0000000D.00000002.576728801.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 13.2.regsvr32.exe.b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2410000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.regsvr32.exe.b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.2410000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.576351502.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.578265574.0000000000C81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329916167.0000000002441000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.329850872.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara signature match

Source: 0000000A.00000003.351436887.0000000005DAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.351487137.0000000005DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06

Creates files inside the system directory

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Windows\system32\OkzilcUDkTuKjw\

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	12_2_0000000180010DB0

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\INNOVINC.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OkzilcUDkTuKjw\FGdLGyDLKydH.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OkzilcUDkTuKjw\FGdLGyDLKydH.dll"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180005C69 push rdi; ret	12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800056DD push rdi; ret	12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0244A26E push ebp; ret	12_2_0244A26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02449E8B push eax; retf	12_2_02449E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02457EAF push 458BCC5Ah; retf	12_2_02457EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0245C731 push esi; iretd	12_2_0245C732
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_024580D7 push ebp; retf	12_2_024580D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02446CDE push esi; iretd	12_2_02446CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0244A0FC push ebp; iretd	12_2_0244A0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02446C9F pushad ; ret	12_2_02446CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02457D4E push ebp; iretd	12_2_02457D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02458157 push ebp; retf	12_2_02458158
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02449D51 push ebp; retf	12_2_02449D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02457D25 push 4D8BFFFFh; retf	12_2_02457D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02457D3C push ebp; retf	12_2_02457D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0244A1D2 push ebp; iretd	12_2_0244A1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_02457987 push ebp; iretd	12_2_0245798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00C86CDE push esi; iretd	13_2_00C86CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00C86C9F pushad ; ret	13_2_00C86CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00CA6D34 push edi; ret	13_2_00CA6D36
Source: C:\Windows\System32\regsvr32.exe	Code function: 13_2_00C9C731 push esi; iretd	13_2_00C9C732

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\OkzilcUDkTuKjw\FGdLGyDLKydH.dll (copy)			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\rad862DE.tmp.dll			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe TID: 4760	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 664	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1844	Thread sleep time: -300000s >= -30000s	Jump to behavior

Source: wscript.exe, 0000000A.00000003.334568472.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352899714.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356606948.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354576518.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW)8:?
Source: wscript.exe, 0000000A.00000003.334568472.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352899714.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356606948.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354576518.0000000005E2D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.415130605.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476942364.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.414520712.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.577044857.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.476681841.0000000000BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.334568472.0000000005DD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.356494821.0000000005DEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352164477.0000000005DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351628835.0000000005DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh4

Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00000001800017DC

Source: Yara match	File source: INNOVINC.one, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\INNOVINC.one, type: DROPPED

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.26.41.131	penshorn.org	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

Name	Malicious	Antivirus Detection	Reputation
https://182.162.143.56/hljclo/nvgjbvhfifkmnnu/fqmovqnozffbslm/luuduiszhryma/	true	Avira URL Cloud: malware	unknown
https://penshorn.org/admin/Ses8712iGR8du/	true	Avira URL Cloud: malware	unknown

ID:	828504
Product:	CloudBasic
Start time:	09:21:12
Start date:	17.03.2023
Sample:	INNOVINC.one
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	87e6d4c09602d4ad3fffa14f0859e4ab
SHA1:	8655b4753c3bc2c24c3c4ac43ce51401a9248fc7
SHA256:	ab29f7e0adb4c813c74e69ab272ec00f0e9e1270e50fc3e38ce85c3c679dbc6f
Filetype:	Microsoft OneNote note (16024/2) 100.00%

Windows Analysis Report INNOVINC.one

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
INNOVINC.one