Windows Analysis Report
Insight_Medical_Publishing_2.one

Overview

General Information

Sample Name: Insight_Medical_Publishing_2.one
Analysis ID: 828500
MD5: 0a7329865a1ca2b01ab193ddb30331bd
SHA1: 89faeaf718460b64e2d078c780fa734aadc3eaff
SHA256: e182025061a8eedb066d78e6f7d6bf1bc7109e9e447cec28996df871f284c8a0
Tags: one
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Insight_Medical_Publishing_2.one ReversingLabs: Detection: 30%
Antivirus detection for URL or domain
Source: https://182.162.143.56/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/hjmar/ Avira URL Cloud: Label: malware
Source: https://182.162.143.56/worgzycsupdwco/ptuh/nsevmasrnbihjmar/.8 Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/hjmar/j Avira URL Cloud: Label: malware
Source: https://169.57.156.166:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/T Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/ll Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/cal Avira URL Cloud: Label: malware
Source: https://213.239.212.5/worgzycsupdwco/ptuh/nsevmasrnbihjmar/&Z Avira URL Cloud: Label: malware
Source: https://1.234.2.232:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0 Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://186.194.240.217/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/) Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/ Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://103.43.75.120:443/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/ Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll ReversingLabs: Detection: 58%
Source: C:\Windows\System32\EEmYiO\WiCcNYQl.dll (copy) ReversingLabs: Detection: 58%
Source: 0000000D.00000002.827726117.0000000001368000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5SoPsBgACAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2koM0BgAqAIA="]}
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 FindFirstFileExW, 12_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.6:49716 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.6:49713 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.6:49715 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.6:49718 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.6:49723 -> 104.168.155.143:8080
Source: Traffic Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.6:49739 -> 206.189.28.199:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.6:49747 -> 213.239.212.5:443
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.6:49751 -> 45.235.8.30:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /worgzycsupdwco/ptuh/nsevmasrnbihjmar/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49713 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.6:49715 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.6:49718 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.6:49723 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.6:49724 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.6:49725 -> 160.16.142.56:8080
Source: global traffic TCP traffic: 192.168.2.6:49730 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.2.6:49735 -> 149.56.131.28:8080
Source: global traffic TCP traffic: 192.168.2.6:49736 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.2.6:49737 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.2.6:49738 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.2.6:49739 -> 206.189.28.199:8080
Source: global traffic TCP traffic: 192.168.2.6:49740 -> 169.57.156.166:8080
Source: global traffic TCP traffic: 192.168.2.6:49741 -> 107.170.39.149:8080
Source: global traffic TCP traffic: 192.168.2.6:49746 -> 91.207.28.33:8080
Source: global traffic TCP traffic: 192.168.2.6:49751 -> 45.235.8.30:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: wscript.exe, 0000000A.00000003.360093660.0000000005403000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.362253844.0000000005404000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.419304183.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.419304183.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000003.443836106.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.419197902.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474181955.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/env
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: wscript.exe, 0000000A.00000002.361778825.000000000505C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici
Source: wscript.exe, wscript.exe, 0000000A.00000003.340456755.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346115783.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337023030.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341468925.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345914047.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343393482.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357490468.000000000536F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337240637.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342661731.0000000004F2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335010069.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354874111.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335511593.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349317192.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 0000000A.00000002.361903597.00000000052FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341937432.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353484873.0000000005100000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345978683.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344766094.0000000004FF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.351959074.00000000050AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344249267.0000000005000000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346247197.0000000005070000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357329165.000000000534A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341718374.0000000004F01000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354449476.00000000051EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344073033.0000000005021000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337614217.0000000004E6C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355706856.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352205341.0000000005162000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334935507.0000000002ABD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334895506.0000000002AA7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.352943319.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334780628.0000000002AD6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354901700.0000000005239000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: wscript.exe, wscript.exe, 0000000A.00000003.340456755.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346115783.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337023030.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341468925.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345914047.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343393482.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337240637.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342661731.0000000004F2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335010069.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354874111.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335511593.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349317192.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343444240.0000000004F73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.358502364.0000000004B9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://1.234.2.232:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/worgzycsupdwco/ptuh/nsevmasrnbihjmar/nC
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120:443/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/)
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/ll
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://159.89.202.34/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474255970.00000000013C6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474181955.00000000013BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 0000000D.00000003.474077735.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/hjmar/
Source: regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000003.474181955.00000000013B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/P
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/=
Source: regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 0000000D.00000003.443665937.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013B5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/worgzycsupdwco/ptuh/nsevmasrnbihjmar/.8
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://186.194.240.217/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/hjmar/j
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.0000000001442000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/worgzycsupdwco/ptuh/nsevmasrnbihjmar/&Z
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5:443/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/.
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/-
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/2;6
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://45.235.8.30:8080/z
Source: regsvr32.exe, 0000000D.00000003.443665937.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://82.223.21.224:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.829598313.00000000035C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://826.189.28.199:8080/
Source: regsvr32.exe, 0000000D.00000002.827726117.0000000001368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 0000000D.00000002.827726117.0000000001368000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000003.418961846.00000000013E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/T
Source: regsvr32.exe, 0000000D.00000002.828195606.0000000001450000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/worgzycsupdwco/ptuh/nsevmasrnbihjmar/
Source: regsvr32.exe, 0000000D.00000002.829598313.00000000035C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.235.8.30:8080/
Source: regsvr32.exe, 0000000D.00000003.443665937.00000000013E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://912.162.143.56/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.aadrm.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.cortana.ai
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.office.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.onedrive.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://api.scheduler.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://augloop.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354901700.0000000005239000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.359671411.00000000052A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355940976.000000000528F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358636370.00000000052A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.361837821.00000000052A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.360136671.00000000052A4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355759080.000000000526F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.co
Source: wscript.exe, wscript.exe, 0000000A.00000003.340456755.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346115783.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337023030.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341468925.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345914047.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343393482.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357490468.000000000536F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337240637.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342661731.0000000004F2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335010069.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354874111.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335511593.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349317192.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334841209.000000000539D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.362067198.00000000053A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/#.X
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.entity.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cortana.ai
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cortana.ai/api
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://cr.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://d.docs.live.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://directory.services.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://graph.windows.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://graph.windows.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://invites.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://login.windows.local
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://make.powerautomate.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://management.azure.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://management.azure.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://messaging.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://microsoftapc-my.sharepoint.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://officeapps.live.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://onedrive.live.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office365.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357805100.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334841209.000000000539D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.359934933.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.362067198.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358925297.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334841209.00000000053C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.362158738.00000000053C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/
Source: wscript.exe, 0000000A.00000003.334923546.0000000002A9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin
Source: wscript.exe, wscript.exe, 0000000A.00000003.340456755.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346115783.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337023030.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341468925.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345914047.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343393482.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357490468.000000000536F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337240637.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342661731.0000000004F2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335010069.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354874111.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335511593.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349317192.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.361854264.00000000052CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357154688.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/cal
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.361854264.00000000052CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357154688.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/bject
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: wscript.exe, 0000000A.00000003.359786907.00000000052E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com
Source: wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343444240.0000000004F73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335601492.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346247197.0000000005085000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342699489.0000000004FBF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356800724.00000000052EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341718374.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354701638.0000000005219000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.340456755.0000000004EB9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FD1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346061879.00000000050B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358232506.0000000005353000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342420057.0000000004F79000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.359847654.000000000535A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.361903597.00000000052FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341937432.0000000004F13000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.353484873.0000000005100000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345978683.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344766094.0000000004FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://pushchannel.1drv.ms
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://settings.outlook.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://tasks.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: wscript.exe, wscript.exe, 0000000A.00000003.340456755.0000000004F40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.346115783.0000000005090000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337023030.0000000002B36000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341468925.0000000002AE0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345914047.0000000004F97000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.343393482.0000000004F7D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357490468.000000000536F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337240637.0000000002B30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004F1B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342661731.0000000004F2D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335010069.0000000002AB3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.344555870.0000000004FAA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.342550415.0000000004EF8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.354874111.0000000005185000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335511593.0000000002AF9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.355317280.0000000005258000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.349317192.00000000050EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.356062956.00000000052CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.358502364.0000000004BA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: 48221AE7-363B-4C3E-A339-0082FA4FC993.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /worgzycsupdwco/ptuh/nsevmasrnbihjmar/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.6:49716 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.827726117.0000000001368000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 12.2.regsvr32.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.1330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.1330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.826882958.0000000001330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.330777725.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.333547715.0000000001111000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829076685.00000000015F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Yara signature match
Source: 0000000A.00000003.335484152.000000000514C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.335484152.000000000514C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\EEmYiO\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180006818 12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_000000018000B878 12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180007110 12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180014555 12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00EE0000 12_2_00EE0000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01117D6C 12_2_01117D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111CC14 12_2_0111CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112A000 12_2_0112A000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112709C 12_2_0112709C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01118BC8 12_2_01118BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01128FC8 12_2_01128FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111263C 12_2_0111263C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01139910 12_2_01139910
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127518 12_2_01127518
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01138500 12_2_01138500
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112610C 12_2_0112610C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01117530 12_2_01117530
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112B130 12_2_0112B130
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01116138 12_2_01116138
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01124D20 12_2_01124D20
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01121924 12_2_01121924
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112AD28 12_2_0112AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011195BC 12_2_011195BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112BDA0 12_2_0112BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011215C8 12_2_011215C8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112D5F0 12_2_0112D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0113181C 12_2_0113181C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01111000 12_2_01111000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01119408 12_2_01119408
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01117C08 12_2_01117C08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01121030 12_2_01121030
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112EC30 12_2_0112EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111B83C 12_2_0111B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01135450 12_2_01135450
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112C058 12_2_0112C058
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01117840 12_2_01117840
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112C44C 12_2_0112C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01126C70 12_2_01126C70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111D474 12_2_0111D474
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01112C78 12_2_01112C78
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111C078 12_2_0111C078
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111B07C 12_2_0111B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112B460 12_2_0112B460
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111AC94 12_2_0111AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01125880 12_2_01125880
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01114C84 12_2_01114C84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112CC84 12_2_0112CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112A8B0 12_2_0112A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111DCB8 12_2_0111DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011394BC 12_2_011394BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011198AC 12_2_011198AC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011114D4 12_2_011114D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01123CD4 12_2_01123CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011118DC 12_2_011118DC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111F8C4 12_2_0111F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01125CC4 12_2_01125CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011180CC 12_2_011180CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011208CC 12_2_011208CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01113CF4 12_2_01113CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011190F8 12_2_011190F8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011148FC 12_2_011148FC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011220E0 12_2_011220E0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112E310 12_2_0112E310
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111EF14 12_2_0111EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01123B14 12_2_01123B14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01124F18 12_2_01124F18
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111D33C 12_2_0111D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112E750 12_2_0112E750
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01114758 12_2_01114758
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111975C 12_2_0111975C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112D770 12_2_0112D770
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112CF70 12_2_0112CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01118378 12_2_01118378
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111F77C 12_2_0111F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01111B94 12_2_01111B94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01125384 12_2_01125384
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01118FB0 12_2_01118FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111FFB8 12_2_0111FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01128BB8 12_2_01128BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111DBA0 12_2_0111DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01123FD0 12_2_01123FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01112FD4 12_2_01112FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011133D4 12_2_011133D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011297CC 12_2_011297CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111A7F0 12_2_0111A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011327EC 12_2_011327EC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01114214 12_2_01114214
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111461C 12_2_0111461C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01125A00 12_2_01125A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01138A00 12_2_01138A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01128E08 12_2_01128E08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01113E0C 12_2_01113E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112020C 12_2_0112020C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111BA2C 12_2_0111BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01128A2C 12_2_01128A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01120E2C 12_2_01120E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112662C 12_2_0112662C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111B258 12_2_0111B258
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111F65C 12_2_0111F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112A244 12_2_0112A244
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01120A70 12_2_01120A70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01113274 12_2_01113274
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111A660 12_2_0111A660
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111BE90 12_2_0111BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01124A90 12_2_01124A90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01118A8C 12_2_01118A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01134E8C 12_2_01134E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111AAB8 12_2_0111AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01114EB8 12_2_01114EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01113ABC 12_2_01113ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112A6BC 12_2_0112A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011296D4 12_2_011296D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112EAC0 12_2_0112EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111D6CC 12_2_0111D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011192F0 12_2_011192F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_012F0000 13_2_012F0000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F7D6C 13_2_015F7D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FCC14 13_2_015FCC14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F640A 13_2_015F640A
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016008CC 13_2_016008CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F9B79 13_2_015F9B79
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F8BC8 13_2_015F8BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01608FC8 13_2_01608FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F63F4 13_2_015F63F4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01603FD0 13_2_01603FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016173A4 13_2_016173A4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F6E42 13_2_015F6E42
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01610618 13_2_01610618
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01614D64 13_2_01614D64
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01604D20 13_2_01604D20
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01601924 13_2_01601924
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160AD28 13_2_0160AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160B130 13_2_0160B130
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01618500 13_2_01618500
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01612100 13_2_01612100
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F6138 13_2_015F6138
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160610C 13_2_0160610C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01619910 13_2_01619910
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607518 13_2_01607518
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160D5F0 13_2_0160D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016015C8 13_2_016015C8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160BDA0 13_2_0160BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F95BC 13_2_015F95BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160B460 13_2_0160B460
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01615868 13_2_01615868
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01606C70 13_2_01606C70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F7840 13_2_015F7840
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FB07C 13_2_015FB07C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F2C78 13_2_015F2C78
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FC078 13_2_015FC078
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FD474 13_2_015FD474
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160C44C 13_2_0160C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01615450 13_2_01615450
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160C058 13_2_0160C058
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F7410 13_2_015F7410
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01601030 13_2_01601030
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160EC30 13_2_0160EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F9408 13_2_015F9408
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F7C08 13_2_015F7C08
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F1000 13_2_015F1000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160A000 13_2_0160A000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FB83C 13_2_015FB83C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0161181C 13_2_0161181C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016020E0 13_2_016020E0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F18DC 13_2_015F18DC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F14D4 13_2_015F14D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F80CC 13_2_015F80CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FF8C4 13_2_015FF8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F48FC 13_2_015F48FC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01605CC4 13_2_01605CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F90F8 13_2_015F90F8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F3CF4 13_2_015F3CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01603CD4 13_2_01603CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01611CD4 13_2_01611CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016144A8 13_2_016144A8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FAC94 13_2_015FAC94
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160A8B0 13_2_0160A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F4C84 13_2_015F4C84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016194BC 13_2_016194BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01605880 13_2_01605880
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160CC84 13_2_0160CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FDCB8 13_2_015FDCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0161488C 13_2_0161488C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F98AC 13_2_015F98AC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01611494 13_2_01611494
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160709C 13_2_0160709C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F975C 13_2_015F975C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F4758 13_2_015F4758
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01618B68 13_2_01618B68
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160D770 13_2_0160D770
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160CF70 13_2_0160CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FF77C 13_2_015FF77C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F8378 13_2_015F8378
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160E750 13_2_0160E750
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FEF14 13_2_015FEF14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FD33C 13_2_015FD33C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160E310 13_2_0160E310
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01618310 13_2_01618310
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01603B14 13_2_01603B14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01604F18 13_2_01604F18
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01615B1C 13_2_01615B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F2FD4 13_2_015F2FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F33D4 13_2_015F33D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016127EC 13_2_016127EC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160FFFC 13_2_0160FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016097CC 13_2_016097CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FA7F0 13_2_015FA7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016147A8 13_2_016147A8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F1B94 13_2_015F1B94
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01608BB8 13_2_01608BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01605384 13_2_01605384
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FFFB8 13_2_015FFFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F8FB0 13_2_015F8FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160779A 13_2_0160779A
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FDBA0 13_2_015FDBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FF65C 13_2_015FF65C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FB258 13_2_015FB258
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01600A70 13_2_01600A70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160A244 13_2_0160A244
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01616E48 13_2_01616E48
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F3274 13_2_015F3274
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FA660 13_2_015FA660
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F461C 13_2_015F461C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F4214 13_2_015F4214
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01608A2C 13_2_01608A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01600E2C 13_2_01600E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160662C 13_2_0160662C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F3E0C 13_2_015F3E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01605A00 13_2_01605A00
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01618A00 13_2_01618A00
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F263C 13_2_015F263C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01608E08 13_2_01608E08
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160020C 13_2_0160020C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FBA2C 13_2_015FBA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FD6CC 13_2_015FD6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016136FC 13_2_016136FC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160EAC0 13_2_0160EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F92F0 13_2_015F92F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_016096D4 13_2_016096D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FBE90 13_2_015FBE90
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01612AB0 13_2_01612AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F8A8C 13_2_015F8A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160A6BC 13_2_0160A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607EBE 13_2_01607EBE
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F3ABC 13_2_015F3ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01612E84 13_2_01612E84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015FAAB8 13_2_015FAAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F4EB8 13_2_015F4EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01614E8C 13_2_01614E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01604A90 13_2_01604A90
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 12_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: Insight_Medical_Publishing_2.one ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\Insight_Medical_Publishing_2.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EEmYiO\WiCcNYQl.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\EEmYiO\WiCcNYQl.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: Send to OneNote.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{D6241386-84D1-4D92-8391-AEFB76385921} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{588D8353-0550-45EF-8231-A093213F5A43} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@12/324@1/50
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01118BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 12_2_01118BC8
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2852:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180005C69 push rdi; ret 12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800056DD push rdi; ret 12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127D3C push ebp; retf 12_2_01127D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127D25 push 4D8BFFFFh; retf 12_2_01127D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01119D51 push ebp; retf 12_2_01119D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01128157 push ebp; retf 12_2_01128158
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127D4E push ebp; iretd 12_2_01127D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127987 push ebp; iretd 12_2_0112798F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111A1D2 push ebp; iretd 12_2_0111A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01116C9F pushad ; ret 12_2_01116CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_011280D7 push ebp; retf 12_2_011280D8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01116CDE push esi; iretd 12_2_01116CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111A0FC push ebp; iretd 12_2_0111A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0112C731 push esi; iretd 12_2_0112C732
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0111A26E push ebp; ret 12_2_0111A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01119E8B push eax; retf 12_2_01119E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01127EAF push 458BCC5Ah; retf 12_2_01127EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607D4E push ebp; iretd 13_2_01607D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607D25 push 4D8BFFFFh; retf 13_2_01607D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01616D34 push edi; ret 13_2_01616D36
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607D3C push ebp; retf 13_2_01607D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F6CDE push esi; iretd 13_2_015F6CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_015F6C9F pushad ; ret 13_2_015F6CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_0160C731 push esi; iretd 13_2_0160C732
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_01607EAF push 458BCC5Ah; retf 13_2_01607EBC
PE file contains sections with non-standard names
Source: rad3CF36.tmp.dll.10.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll
Drops PE files
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\EEmYiO\WiCcNYQl.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\EEmYiO\WiCcNYQl.dll (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\EEmYiO\WiCcNYQl.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 5240 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 2368 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5192 Thread sleep time: -660000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.1 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 FindFirstFileExW, 12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: wscript.exe, 0000000A.00000003.357649435.00000000053A5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334841209.000000000539D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.362067198.00000000053A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: regsvr32.exe, 0000000D.00000003.418961846.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013AB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013AB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: wscript.exe, 0000000A.00000002.362253844.00000000053F3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.419304183.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.474077735.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.828195606.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443380664.00000000013F8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.443665937.00000000013F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000002.362253844.00000000053F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW=
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_000000018000A878 GetProcessHeap, 12_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 45.235.8.30 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad3CF36.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800070A0 cpuid 12_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing_2.one, type: SAMPLE
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.827726117.0000000001368000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 12.2.regsvr32.exe.ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.1330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.1330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.826882958.0000000001330000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.330777725.0000000000EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.333547715.0000000001111000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.829076685.00000000015F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: Insight_Medical_Publishing_2.one, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828500 Sample: Insight_Medical_Publishing_2.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 37 129.232.188.93 xneeloZA South Africa 2->37 39 185.4.135.165 TOPHOSTGR Greece 2->39 41 23 other IPs or domains 2->41 51 Snort IDS alert for network traffic 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 6 other signatures 2->57 10 ONENOTE.EXE 47 371 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        17 ONENOTEM.EXE 1 10->17         started        dnsIp6 49 penshorn.org 203.26.41.131, 443, 49711 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->49 33 C:\Users\user\AppData\...\rad3CF36.tmp.dll, PE32+ 12->33 dropped 35 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->35 dropped 63 System process connects to network (likely due to code injection or exploit) 12->63 19 regsvr32.exe 12->19         started        file7 signatures8 process9 process10 21 regsvr32.exe 2 19->21         started        file11 31 C:\Windows\System32\...\WiCcNYQl.dll (copy), PE32+ 21->31 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->59 25 regsvr32.exe 21->25         started        29 conhost.exe 21->29         started        signatures12 process13 dnsIp14 43 45.235.8.30, 49751, 8080 WIKINETTELECOMUNICACOESBR Brazil 25->43 45 169.57.156.166, 8080 SOFTLAYERUS United States 25->45 47 22 other IPs or domains 25->47 61 System process connects to network (likely due to code injection or exploit) 25->61 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
penshorn.org 203.26.41.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://182.162.143.56/worgzycsupdwco/ptuh/nsevmasrnbihjmar/ true
  • Avira URL Cloud: malware
 unknown