Windows Analysis Report
Form - 16 Mar, 2023.one

Overview

General Information

Sample Name: Form - 16 Mar, 2023.one
Analysis ID: 828882
MD5: fdb11bd1fb6eba5cb985a4bd5edda765
SHA1: ad09e5d26784b4c56232ce74725d38c1e34647ea
SHA256: 8dbe6329f5086cd8ea55002897ca64d8a938ebb57c8a91d08f6cd927c3586f4a
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Form - 16 Mar, 2023.one ReversingLabs: Detection: 38%
Source: Form - 16 Mar, 2023.one Virustotal: Detection: 17% Perma Link
Antivirus detection for URL or domain
Source: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/y Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/ Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/i Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/# Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/g Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com:443/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/R Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/0/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/dll Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/yM Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/f4) Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/vM Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/a Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/m/Low Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/c Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/O Avira URL Cloud: Label: malware
Source: https://163.44.196.120:8080/h Avira URL Cloud: Label: malware
Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/35047 Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ Avira URL Cloud: Label: malware
Source: https://penshorn.org:443/admin/Ses8712iGR8du/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ublic Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: bbvoyage.com Virustotal: Detection: 8% Perma Link
Source: penshorn.org Virustotal: Detection: 10% Perma Link
Source: http://ozmeydan.com/cekici/9/ Virustotal: Detection: 21% Perma Link
Source: http://softwareulike.com/cWIYxWMPkK/ Virustotal: Detection: 21% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll ReversingLabs: Detection: 58%
Source: C:\Windows\System32\DWxyui\KGQLMqgYfV.dll (copy) ReversingLabs: Detection: 58%
Source: 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5MXrQigAaAI4=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2dnqRigAnAIA="]}
Source: unknown HTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49707 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008D28 FindFirstFileExW, 7_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 31.31.196.172 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: bbvoyage.com
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49707 -> 164.90.222.65:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49698 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49700 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49701 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49706 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49708 -> 104.168.155.143:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /kjgfzohhcvsym/ggkrpukmvfsdmfdi/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49698 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.4:49700 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.4:49706 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.4:49708 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.4:49709 -> 163.44.196.120:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: wscript.exe, 00000001.00000002.454746184.0000000005004000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586761426.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.519602421.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.521824072.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586322272.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000008.00000003.521824072.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000008.00000003.522318920.000000000117C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586322272.000000000117C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.000000000118C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586721940.000000000118B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.519602421.000000000117C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586700754.0000000001186000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000008.00000003.586322272.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.519602421.000000000117C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000008.00000003.514049481.000000000322E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?face02ee8e0f8
Source: wscript.exe, wscript.exe, 00000001.00000003.438065273.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.446215312.0000000004D5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449163374.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445464334.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454128964.0000000000569000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441367000.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.437009350.0000000000519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453635476.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450239085.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439815100.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449599586.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439285276.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441612434.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, wscript.exe, 00000001.00000003.438065273.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.446215312.0000000004D5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449163374.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445464334.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454128964.0000000000569000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441367000.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.437009350.0000000000519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453635476.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450239085.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439815100.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449599586.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439285276.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441612434.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, wscript.exe, 00000001.00000003.438065273.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.446215312.0000000004D5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449163374.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445464334.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454128964.0000000000569000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441367000.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.437009350.0000000000519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453635476.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450239085.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439815100.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449599586.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439285276.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441612434.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 00000001.00000002.454494243.0000000004F0C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450088401.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/O
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.44.196.120:8080/
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/g
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/i
Source: regsvr32.exe, 00000008.00000002.618264606.00000000033E7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/a
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/c
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/h
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/f4)
Source: regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/m/Low
Source: regsvr32.exe, 00000008.00000003.586522117.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/
Source: regsvr32.exe, 00000008.00000003.586522117.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/0/
Source: regsvr32.exe, 00000008.00000003.586522117.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586322272.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000002.618264606.00000000033E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000003.586761426.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586322272.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/#
Source: regsvr32.exe, 00000008.00000003.586522117.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 00000008.00000003.586522117.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/
Source: regsvr32.exe, 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/dll
Source: regsvr32.exe, 00000008.00000003.519602421.00000000011A1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.521824072.00000000011A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/kjgfzohhcvsym/ggkrpukmvfsdmfdi/y
Source: wscript.exe, 00000001.00000003.450771495.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454658429.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.435803388.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453651451.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/
Source: wscript.exe, 00000001.00000003.450771495.0000000004FCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454658429.0000000004FCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453651451.0000000004FCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.435803388.0000000004FCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/G
Source: wscript.exe, wscript.exe, 00000001.00000003.438065273.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.446215312.0000000004D5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449163374.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445464334.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454128964.0000000000569000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441367000.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.437009350.0000000000519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453635476.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453064773.00000000046E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450239085.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453556691.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439815100.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449599586.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439285276.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441612434.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000001.00000003.453556691.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454479107.0000000004EEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/35047
Source: wscript.exe, 00000001.00000003.435803388.0000000004FBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453651451.0000000004FC3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450771495.0000000004FC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450608257.0000000004FBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/R
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: wscript.exe, 00000001.00000002.454520022.0000000004F26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450304011.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450088401.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450195483.0000000004F17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com:443/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439492822.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443736381.0000000004CE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442437886.0000000004C63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449180398.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453830092.0000000004E31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450405503.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449627322.0000000004E67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443042100.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004B1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450304011.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443957796.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439492822.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.436776143.0000000000528000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439343018.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 00000001.00000002.454520022.0000000004F26000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450304011.0000000004F1E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450088401.0000000004F0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450195483.0000000004F17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/
Source: wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439492822.0000000004A87000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443736381.0000000004CE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442437886.0000000004C63000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449180398.0000000004E02000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453830092.0000000004E31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450405503.0000000004F5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449627322.0000000004E67000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443042100.0000000004C48000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004B1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443957796.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439492822.0000000004ACD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.436776143.0000000000528000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439343018.0000000004AEF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445771349.0000000004CDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443403718.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450004431.0000000004EB8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449367507.0000000004D7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453580767.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439492822.0000000004A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: wscript.exe, wscript.exe, 00000001.00000003.438065273.0000000004A4C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.446215312.0000000004D5D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449163374.0000000004D50000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445464334.0000000004D13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454128964.0000000000569000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441367000.0000000004C39000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.437009350.0000000000519000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453635476.0000000004F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450239085.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439815100.0000000004AF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449599586.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.439285276.0000000004B00000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441612434.0000000004BFF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450137005.0000000004F0D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.447642991.0000000004DCB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440428219.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449909753.0000000004EE5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 00000001.00000003.442046071.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443957796.0000000004D29000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.443403718.0000000004CF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441384057.0000000004C7E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445299386.0000000004D30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.445693425.0000000004D38000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449126562.0000000004D3E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441209926.0000000004C4F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.440989480.0000000004C2E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.441692919.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/ublic
Source: wscript.exe, 00000001.00000003.450944827.0000000004704000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: unknown HTTP traffic detected: POST /kjgfzohhcvsym/ggkrpukmvfsdmfdi/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
Source: unknown HTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.4:49697 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49707 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 7.2.regsvr32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.617908467.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.435040931.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.435079769.0000000000C81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.617991497.0000000002A51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\DWxyui\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180006818 7_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000B878 7_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180007110 7_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008D28 7_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180014555 7_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C20000 7_2_00C20000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9709C 7_2_00C9709C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9A000 7_2_00C9A000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8CC14 7_2_00C8CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C87D6C 7_2_00C87D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8263C 7_2_00C8263C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C88BC8 7_2_00C88BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C98FC8 7_2_00C98FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C880CC 7_2_00C880CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C908CC 7_2_00C908CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8F8C4 7_2_00C8F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C95CC4 7_2_00C95CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C818DC 7_2_00C818DC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C814D4 7_2_00C814D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C93CD4 7_2_00C93CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C920E0 7_2_00C920E0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C890F8 7_2_00C890F8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C848FC 7_2_00C848FC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C83CF4 7_2_00C83CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C95880 7_2_00C95880
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C84C84 7_2_00C84C84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9CC84 7_2_00C9CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8AC94 7_2_00C8AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C898AC 7_2_00C898AC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8DCB8 7_2_00C8DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA94BC 7_2_00CA94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9A8B0 7_2_00C9A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9C44C 7_2_00C9C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C87840 7_2_00C87840
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9C058 7_2_00C9C058
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA5450 7_2_00CA5450
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9B460 7_2_00C9B460
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C82C78 7_2_00C82C78
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8C078 7_2_00C8C078
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8B07C 7_2_00C8B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C96C70 7_2_00C96C70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8D474 7_2_00C8D474
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C89408 7_2_00C89408
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C87C08 7_2_00C87C08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C81000 7_2_00C81000
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA181C 7_2_00CA181C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8B83C 7_2_00C8B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C91030 7_2_00C91030
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9EC30 7_2_00C9EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C915C8 7_2_00C915C8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9D5F0 7_2_00C9D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9BDA0 7_2_00C9BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C895BC 7_2_00C895BC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9610C 7_2_00C9610C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA8500 7_2_00CA8500
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97518 7_2_00C97518
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA9910 7_2_00CA9910
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9AD28 7_2_00C9AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C94D20 7_2_00C94D20
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C91924 7_2_00C91924
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C86138 7_2_00C86138
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C87530 7_2_00C87530
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9B130 7_2_00C9B130
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8D6CC 7_2_00C8D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9EAC0 7_2_00C9EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C996D4 7_2_00C996D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C892F0 7_2_00C892F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C88A8C 7_2_00C88A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA4E8C 7_2_00CA4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8BE90 7_2_00C8BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C94A90 7_2_00C94A90
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8AAB8 7_2_00C8AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C84EB8 7_2_00C84EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C83ABC 7_2_00C83ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9A6BC 7_2_00C9A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9A244 7_2_00C9A244
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8B258 7_2_00C8B258
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8F65C 7_2_00C8F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8A660 7_2_00C8A660
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C90A70 7_2_00C90A70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C83274 7_2_00C83274
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C98E08 7_2_00C98E08
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C83E0C 7_2_00C83E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9020C 7_2_00C9020C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C95A00 7_2_00C95A00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA8A00 7_2_00CA8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8461C 7_2_00C8461C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C84214 7_2_00C84214
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8BA2C 7_2_00C8BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C98A2C 7_2_00C98A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C90E2C 7_2_00C90E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9662C 7_2_00C9662C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C997CC 7_2_00C997CC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C93FD0 7_2_00C93FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C82FD4 7_2_00C82FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C833D4 7_2_00C833D4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00CA27EC 7_2_00CA27EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8A7F0 7_2_00C8A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C95384 7_2_00C95384
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C81B94 7_2_00C81B94
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8DBA0 7_2_00C8DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8FFB8 7_2_00C8FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C98BB8 7_2_00C98BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C88FB0 7_2_00C88FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C84758 7_2_00C84758
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8975C 7_2_00C8975C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9E750 7_2_00C9E750
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C88378 7_2_00C88378
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8F77C 7_2_00C8F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9D770 7_2_00C9D770
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9CF70 7_2_00C9CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C94F18 7_2_00C94F18
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9E310 7_2_00C9E310
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8EF14 7_2_00C8EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C93B14 7_2_00C93B14
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8D33C 7_2_00C8D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_010F0000 8_2_010F0000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A70618 8_2_02A70618
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A56E42 8_2_02A56E42
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A773A4 8_2_02A773A4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A563F4 8_2_02A563F4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A58BC8 8_2_02A58BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A68FC8 8_2_02A68FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A63FD0 8_2_02A63FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A59B79 8_2_02A59B79
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A608CC 8_2_02A608CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5640A 8_2_02A5640A
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5CC14 8_2_02A5CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A57D6C 8_2_02A57D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A72AB0 8_2_02A72AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67EBE 8_2_02A67EBE
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A53ABC 8_2_02A53ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6A6BC 8_2_02A6A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5AAB8 8_2_02A5AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A54EB8 8_2_02A54EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A72E84 8_2_02A72E84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A58A8C 8_2_02A58A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A74E8C 8_2_02A74E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5BE90 8_2_02A5BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A64A90 8_2_02A64A90
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A592F0 8_2_02A592F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A736FC 8_2_02A736FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6EAC0 8_2_02A6EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5D6CC 8_2_02A5D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A696D4 8_2_02A696D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5BA2C 8_2_02A5BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A68A2C 8_2_02A68A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A60E2C 8_2_02A60E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6662C 8_2_02A6662C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5263C 8_2_02A5263C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A65A00 8_2_02A65A00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A78A00 8_2_02A78A00
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A53E0C 8_2_02A53E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6020C 8_2_02A6020C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A68E08 8_2_02A68E08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A54214 8_2_02A54214
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5461C 8_2_02A5461C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5A660 8_2_02A5A660
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A53274 8_2_02A53274
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A60A70 8_2_02A60A70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6A244 8_2_02A6A244
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A76E48 8_2_02A76E48
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5F65C 8_2_02A5F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5B258 8_2_02A5B258
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5DBA0 8_2_02A5DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A747A8 8_2_02A747A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A58FB0 8_2_02A58FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5FFB8 8_2_02A5FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A68BB8 8_2_02A68BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A65384 8_2_02A65384
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A51B94 8_2_02A51B94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6779A 8_2_02A6779A
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A727EC 8_2_02A727EC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5A7F0 8_2_02A5A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6FFFC 8_2_02A6FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A697CC 8_2_02A697CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A52FD4 8_2_02A52FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A533D4 8_2_02A533D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5D33C 8_2_02A5D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5EF14 8_2_02A5EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A63B14 8_2_02A63B14
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6E310 8_2_02A6E310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A78310 8_2_02A78310
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A75B1C 8_2_02A75B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A64F18 8_2_02A64F18
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A78B68 8_2_02A78B68
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6D770 8_2_02A6D770
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6CF70 8_2_02A6CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5F77C 8_2_02A5F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A58378 8_2_02A58378
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6E750 8_2_02A6E750
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5975C 8_2_02A5975C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A54758 8_2_02A54758
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A598AC 8_2_02A598AC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A744A8 8_2_02A744A8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6A8B0 8_2_02A6A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A794BC 8_2_02A794BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5DCB8 8_2_02A5DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A54C84 8_2_02A54C84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6CC84 8_2_02A6CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A65880 8_2_02A65880
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A7488C 8_2_02A7488C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5AC94 8_2_02A5AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A71494 8_2_02A71494
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6709C 8_2_02A6709C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A620E0 8_2_02A620E0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A53CF4 8_2_02A53CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A548FC 8_2_02A548FC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A590F8 8_2_02A590F8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5F8C4 8_2_02A5F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A65CC4 8_2_02A65CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A580CC 8_2_02A580CC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A514D4 8_2_02A514D4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A63CD4 8_2_02A63CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A71CD4 8_2_02A71CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A518DC 8_2_02A518DC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A61030 8_2_02A61030
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6EC30 8_2_02A6EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5B83C 8_2_02A5B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A51000 8_2_02A51000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6A000 8_2_02A6A000
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A57C08 8_2_02A57C08
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A59408 8_2_02A59408
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A57410 8_2_02A57410
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A7181C 8_2_02A7181C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6B460 8_2_02A6B460
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A75868 8_2_02A75868
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5D474 8_2_02A5D474
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A66C70 8_2_02A66C70
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5B07C 8_2_02A5B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A52C78 8_2_02A52C78
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A5C078 8_2_02A5C078
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A57840 8_2_02A57840
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6C44C 8_2_02A6C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A75450 8_2_02A75450
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6C058 8_2_02A6C058
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6BDA0 8_2_02A6BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A595BC 8_2_02A595BC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6D5F0 8_2_02A6D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A615C8 8_2_02A615C8
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A61924 8_2_02A61924
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A64D20 8_2_02A64D20
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6AD28 8_2_02A6AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6B130 8_2_02A6B130
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A56138 8_2_02A56138
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A78500 8_2_02A78500
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A72100 8_2_02A72100
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6610C 8_2_02A6610C
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A79910 8_2_02A79910
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67518 8_2_02A67518
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A74D64 8_2_02A74D64
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 7_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 7_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 7_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
Source: Form - 16 Mar, 2023.one ReversingLabs: Detection: 38%
Source: Form - 16 Mar, 2023.one Virustotal: Detection: 17%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Form - 16 Mar, 2023.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE "C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE" /tsr
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DWxyui\KGQLMqgYfV.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DWxyui\KGQLMqgYfV.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: Send to OneNote.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{A4CBEEA3-1FA3-4D28-9AC9-AD17C69AE228} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{D6E66DB4-BAF8-49D5-97F2-F88802A632EE} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@12/692@2/50
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C88BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 7_2_00C88BC8
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180005C69 push rdi; ret 7_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800056DD push rdi; ret 7_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C86CDE push esi; iretd 7_2_00C86CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C980D7 push ebp; retf 7_2_00C980D8
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8A0FC push ebp; iretd 7_2_00C8A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C86C9F pushad ; ret 7_2_00C86CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8A1D2 push ebp; iretd 7_2_00C8A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97987 push ebp; iretd 7_2_00C9798F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97D4E push ebp; iretd 7_2_00C97D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C89D51 push ebp; retf 7_2_00C89D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C98157 push ebp; retf 7_2_00C98158
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97D25 push 4D8BFFFFh; retf 7_2_00C97D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97D3C push ebp; retf 7_2_00C97D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C89E8B push eax; retf 7_2_00C89E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C97EAF push 458BCC5Ah; retf 7_2_00C97EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C8A26E push ebp; ret 7_2_00C8A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00C9C731 push esi; iretd 7_2_00C9C732
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67EAF push 458BCC5Ah; retf 8_2_02A67EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A6C731 push esi; iretd 8_2_02A6C732
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A56C9F pushad ; ret 8_2_02A56CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A56CDE push esi; iretd 8_2_02A56CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67D25 push 4D8BFFFFh; retf 8_2_02A67D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A76D34 push edi; ret 8_2_02A76D36
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67D3C push ebp; retf 8_2_02A67D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 8_2_02A67D4E push ebp; iretd 8_2_02A67D4F
PE file contains sections with non-standard names
Source: radE00D6.tmp.dll.1.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll
Drops PE files
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\DWxyui\KGQLMqgYfV.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\DWxyui\KGQLMqgYfV.dll (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\DWxyui\KGQLMqgYfV.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 4308 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 3312 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2468 Thread sleep time: -180000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.0 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180008D28 FindFirstFileExW, 7_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: wscript.exe, 00000001.00000002.454449863.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.450771495.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453580767.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.454658429.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449938520.0000000004EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.449747783.0000000004EA9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.435803388.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.453651451.0000000004FD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000002.617706041.00000000011B1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.586322272.000000000116D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000008.00000003.519602421.00000000011B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_000000018000A878 GetProcessHeap, 7_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 7_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 31.31.196.172 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: bbvoyage.com
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radE00D6.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_00000001800070A0 cpuid 7_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 7_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 7_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Form - 16 Mar, 2023.one, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\Form - 16 Mar, 2023.one, type: DROPPED
Yara detected Emotet
Source: Yara match File source: 00000008.00000002.617622368.0000000001128000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 7.2.regsvr32.exe.c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.regsvr32.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.617908467.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.435040931.0000000000C30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.435079769.0000000000C81000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.617991497.0000000002A51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Form - 16 Mar, 2023.one, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\Form - 16 Mar, 2023.one, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828882 Sample: Form - 16 Mar, 2023.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 40 129.232.188.93 xneeloZA South Africa 2->40 42 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->42 44 38 other IPs or domains 2->44 58 Snort IDS alert for network traffic 2->58 60 Multi AV Scanner detection for domain / URL 2->60 62 Antivirus detection for URL or domain 2->62 64 7 other signatures 2->64 10 ONENOTE.EXE 50 501 2->10         started        13 ONENOTEM.EXE 2->13         started        signatures3 process4 file5 38 C:\Users\user\...\Form - 16 Mar, 2023.one, data 10->38 dropped 15 wscript.exe 2 10->15         started        20 ONENOTEM.EXE 1 10->20         started        process6 dnsIp7 52 penshorn.org 203.26.41.131, 443, 49696 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 15->52 54 bbvoyage.com 31.31.196.172, 443, 49697 AS-REGRU Russian Federation 15->54 32 C:\Users\user\AppData\...\radE00D6.tmp.dll, PE32+ 15->32 dropped 34 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 15->34 dropped 56 System process connects to network (likely due to code injection or exploit) 15->56 22 regsvr32.exe 15->22         started        file8 signatures9 process10 process11 24 regsvr32.exe 2 22->24         started        file12 36 C:\Windows\System32\...\KGQLMqgYfV.dll (copy), PE32+ 24->36 dropped 66 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->66 28 regsvr32.exe 24->28         started        signatures13 process14 dnsIp15 46 91.121.146.47, 49698, 8080 OVHFR France 28->46 48 66.228.32.31, 49700, 7080 LINODE-APLinodeLLCUS United States 28->48 50 6 other IPs or domains 28->50 68 System process connects to network (likely due to code injection or exploit) 28->68 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
31.31.196.172
 bbvoyage.com Russian Federation
197695 AS-REGRU true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
bbvoyage.com 31.31.196.172 true
penshorn.org 203.26.41.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ true
  • Avira URL Cloud: malware
 unknown
https://164.90.222.65/kjgfzohhcvsym/ggkrpukmvfsdmfdi/ true
  • Avira URL Cloud: malware
 unknown