Windows Analysis Report
iMedPub_LTD_4.one

Overview

General Information

Sample Name: iMedPub_LTD_4.one
Analysis ID: 828507
MD5: 862cfd3b3523532ba0faad1bcc568c4d
SHA1: faa8437483dab403f6079be49758407a9d59b964
SHA256: b7f06ac0c97b87147a07ea1471097d84445faff5d13aebc195abb3fbeaa4e526
Tags: one
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: iMedPub_LTD_4.one ReversingLabs: Detection: 30%
Antivirus detection for URL or domain
Source: https://167.172.199.165:8080//dslbwuw/s Avira URL Cloud: Label: malware
Source: https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/ Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/ Avira URL Cloud: Label: malware
Source: https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/? Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/bwuw/ Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0 Avira URL Cloud: Label: malware
Source: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/g Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c Avira URL Cloud: Label: malware
Source: https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/ Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0 Avira URL Cloud: Label: malware
Source: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://103.43.75.120/ Avira URL Cloud: Label: malware
Source: https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ Avira URL Cloud: Label: malware
Source: https://penshorn.org:443/admin/Ses8712iGR8du/on Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: penshorn.org Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll ReversingLabs: Detection: 58%
Source: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy) ReversingLabs: Detection: 58%
Source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5UnTU9wASAJA=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AAAAAAAAAAA="]}
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 FindFirstFileExW, 12_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.7:49707 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.7:49704 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.7:49706 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.7:49709 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.7:49714 -> 104.168.155.143:8080
Source: Traffic Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.7:49730 -> 206.189.28.199:8080
Source: Traffic Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.7:49738 -> 213.239.212.5:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View IP Address: 103.132.242.26 103.132.242.26
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49704 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.7:49709 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.7:49714 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.7:49715 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.7:49716 -> 160.16.142.56:8080
Source: global traffic TCP traffic: 192.168.2.7:49721 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.2.7:49726 -> 149.56.131.28:8080
Source: global traffic TCP traffic: 192.168.2.7:49727 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.2.7:49728 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.2.7:49729 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.2.7:49730 -> 206.189.28.199:8080
Source: global traffic TCP traffic: 192.168.2.7:49731 -> 169.57.156.166:8080
Source: global traffic TCP traffic: 192.168.2.7:49732 -> 107.170.39.149:8080
Source: global traffic TCP traffic: 192.168.2.7:49737 -> 91.207.28.33:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348228525.00000000058EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345758106.00000000058EE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462973550.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816817308.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 0000000D.00000003.462671669.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816434632.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.13.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab35Hq
Source: regsvr32.exe, 0000000D.00000003.462898342.0000000000E78000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.401238189.0000000000E78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9aa541ead3e54
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cW4
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: wscript.exe, 0000000A.00000003.332677466.00000000053BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://1.234.2.232:8080/k
Source: regsvr32.exe, 0000000D.00000002.816434632.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://1.3.239.212.5/
Source: regsvr32.exe, 0000000D.00000002.816434632.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://10.207.28.33:8080/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/F
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816987046.0000000000E78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://149.56.131.28:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://163.44.196.120:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080//dslbwuw/s
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/bwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://167.172.199.165:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/c
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/llw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/~
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/?
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://182.162.143.56:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/y0
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/g
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.63.160.88:80/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/0
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/W
Source: regsvr32.exe, 0000000D.00000002.817123962.0000000002DB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/u
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5/wn
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://213.239.212.5:443/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000003.462908363.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://82.223.21.224:8080/
Source: regsvr32.exe, 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E31000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw//
Source: regsvr32.exe, 0000000D.00000002.816907496.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/g
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.aadrm.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.office.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.onedrive.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://api.scheduler.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://augloop.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332605666.000000000558A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 0000000A.00000003.338030471.000000000580E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336991238.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337571919.00000000057FE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.336359742.00000000057B1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337511898.00000000057D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337308071.00000000057D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.337170816.00000000057C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.entity.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cortana.ai/api
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://cr.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://d.docs.live.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://directory.services.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://graph.windows.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://graph.windows.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://invites.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://login.windows.local
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://make.powerautomate.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://management.azure.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://management.azure.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://messaging.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://microsoftapc-my.sharepoint.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://officeapps.live.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://onedrive.live.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office365.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: wscript.exe, 0000000A.00000003.341535635.00000000058C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348037002.00000000058C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/M
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.332605666.000000000558A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 0000000A.00000003.328173110.0000000005460000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329993705.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345486407.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347498300.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.327538633.000000000545A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/4
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/ocal
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 0000000A.00000003.341489972.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347992328.00000000058AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/e
Source: wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333322944.0000000005606000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333584044.0000000005623000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347587677.000000000564C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333494137.000000000560D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335128897.000000000564C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/on
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://powerlift-user.acompli.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://pushchannel.1drv.ms
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://settings.outlook.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://tasks.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: wscript.exe, 0000000A.00000003.345486407.0000000005467000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347498300.0000000005467000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/
Source: wscript.exe, wscript.exe, 0000000A.00000003.330462855.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.335756850.0000000005709000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334389573.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055EF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333860223.0000000005638000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005711000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000588F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.345380845.0000000005728000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333925882.0000000005658000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333542268.00000000055E7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.329822485.00000000054CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330213444.00000000054E6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.330343076.00000000054EC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.338605530.00000000056FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.334176110.00000000055DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.325763800.00000000053CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.326506362.000000000539A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347654351.0000000005650000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.333969896.0000000005628000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.324507207.00000000053AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 0000000A.00000003.339493388.0000000005868000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339423579.0000000005861000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341212440.000000000587C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.339192665.000000000584F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/fice16
Source: wscript.exe, 0000000A.00000003.340717850.00000000050D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: 825FCF33-FA95-48F7-9D0C-913B41374CD9.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 182.162.143.56
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.7:49707 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 13.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Yara signature match
Source: 0000000A.00000003.341725142.00000000057F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339989514.0000000005873000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.337950872.00000000057E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: webshell_asp_obfuscated date = 2021/01/12, author = Arnim Rupp, description = ASP webshell obfuscated, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Source: 0000000A.00000003.339286928.00000000057F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\RPJQOdVdSbhDZ\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180006818 12_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_000000018000B878 12_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180007110 12_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180014555 12_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01020000 12_2_01020000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01287D6C 12_2_01287D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129A000 12_2_0129A000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128CC14 12_2_0128CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129709C 12_2_0129709C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01288BC8 12_2_01288BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01298FC8 12_2_01298FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128263C 12_2_0128263C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129AD28 12_2_0129AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01294D20 12_2_01294D20
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01291924 12_2_01291924
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01286138 12_2_01286138
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01287530 12_2_01287530
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129B130 12_2_0129B130
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129610C 12_2_0129610C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A8500 12_2_012A8500
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297518 12_2_01297518
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A9910 12_2_012A9910
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129BDA0 12_2_0129BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012895BC 12_2_012895BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129D5F0 12_2_0129D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012915C8 12_2_012915C8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128B83C 12_2_0128B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01291030 12_2_01291030
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129EC30 12_2_0129EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01289408 12_2_01289408
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01287C08 12_2_01287C08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01281000 12_2_01281000
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A181C 12_2_012A181C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129B460 12_2_0129B460
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01282C78 12_2_01282C78
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128C078 12_2_0128C078
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128B07C 12_2_0128B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01296C70 12_2_01296C70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128D474 12_2_0128D474
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129C44C 12_2_0129C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01287840 12_2_01287840
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129C058 12_2_0129C058
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A5450 12_2_012A5450
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012898AC 12_2_012898AC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128DCB8 12_2_0128DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A94BC 12_2_012A94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129A8B0 12_2_0129A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01295880 12_2_01295880
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01284C84 12_2_01284C84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129CC84 12_2_0129CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128AC94 12_2_0128AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012920E0 12_2_012920E0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012890F8 12_2_012890F8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012848FC 12_2_012848FC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01283CF4 12_2_01283CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012880CC 12_2_012880CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012908CC 12_2_012908CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128F8C4 12_2_0128F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01295CC4 12_2_01295CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012818DC 12_2_012818DC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012814D4 12_2_012814D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01293CD4 12_2_01293CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128D33C 12_2_0128D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01294F18 12_2_01294F18
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129E310 12_2_0129E310
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128EF14 12_2_0128EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01293B14 12_2_01293B14
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01288378 12_2_01288378
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128F77C 12_2_0128F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129D770 12_2_0129D770
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129CF70 12_2_0129CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01284758 12_2_01284758
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128975C 12_2_0128975C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129E750 12_2_0129E750
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128DBA0 12_2_0128DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128FFB8 12_2_0128FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01298BB8 12_2_01298BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01288FB0 12_2_01288FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01295384 12_2_01295384
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01281B94 12_2_01281B94
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A27EC 12_2_012A27EC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128A7F0 12_2_0128A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012997CC 12_2_012997CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01293FD0 12_2_01293FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01282FD4 12_2_01282FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012833D4 12_2_012833D4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128BA2C 12_2_0128BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01298A2C 12_2_01298A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01290E2C 12_2_01290E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129662C 12_2_0129662C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01298E08 12_2_01298E08
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01283E0C 12_2_01283E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129020C 12_2_0129020C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01295A00 12_2_01295A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A8A00 12_2_012A8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128461C 12_2_0128461C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01284214 12_2_01284214
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128A660 12_2_0128A660
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01290A70 12_2_01290A70
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01283274 12_2_01283274
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129A244 12_2_0129A244
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128B258 12_2_0128B258
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128F65C 12_2_0128F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128AAB8 12_2_0128AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01284EB8 12_2_01284EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01283ABC 12_2_01283ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129A6BC 12_2_0129A6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01288A8C 12_2_01288A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012A4E8C 12_2_012A4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128BE90 12_2_0128BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01294A90 12_2_01294A90
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012892F0 12_2_012892F0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128D6CC 12_2_0128D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129EAC0 12_2_0129EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012996D4 12_2_012996D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00C80000 13_2_00C80000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD08CC 13_2_00CD08CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC640A 13_2_00CC640A
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCCC14 13_2_00CCCC14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC7D6C 13_2_00CC7D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD76A8 13_2_00CD76A8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC6E42 13_2_00CC6E42
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE0618 13_2_00CE0618
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC8BC8 13_2_00CC8BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD8FC8 13_2_00CD8FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD3FD0 13_2_00CD3FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC63F4 13_2_00CC63F4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE73A4 13_2_00CE73A4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC9B79 13_2_00CC9B79
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC80CC 13_2_00CC80CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCF8C4 13_2_00CCF8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD5CC4 13_2_00CD5CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC18DC 13_2_00CC18DC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC14D4 13_2_00CC14D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD3CD4 13_2_00CD3CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE1CD4 13_2_00CE1CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD20E0 13_2_00CD20E0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC48FC 13_2_00CC48FC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC90F8 13_2_00CC90F8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC3CF4 13_2_00CC3CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE488C 13_2_00CE488C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC4C84 13_2_00CC4C84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDCC84 13_2_00CDCC84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD5880 13_2_00CD5880
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD709C 13_2_00CD709C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCAC94 13_2_00CCAC94
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE1494 13_2_00CE1494
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC98AC 13_2_00CC98AC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE44A8 13_2_00CE44A8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE94BC 13_2_00CE94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCDCB8 13_2_00CCDCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDA8B0 13_2_00CDA8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDC44C 13_2_00CDC44C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC7840 13_2_00CC7840
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDC058 13_2_00CDC058
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE5450 13_2_00CE5450
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE5868 13_2_00CE5868
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDB460 13_2_00CDB460
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCB07C 13_2_00CCB07C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC2C78 13_2_00CC2C78
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCC078 13_2_00CCC078
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCD474 13_2_00CCD474
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD6C70 13_2_00CD6C70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC9408 13_2_00CC9408
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC7C08 13_2_00CC7C08
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC1000 13_2_00CC1000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDA000 13_2_00CDA000
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE181C 13_2_00CE181C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC7410 13_2_00CC7410
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCB83C 13_2_00CCB83C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD1030 13_2_00CD1030
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDEC30 13_2_00CDEC30
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD15C8 13_2_00CD15C8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDD5F0 13_2_00CDD5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDBDA0 13_2_00CDBDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC95BC 13_2_00CC95BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE4D64 13_2_00CE4D64
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD610C 13_2_00CD610C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE8500 13_2_00CE8500
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE2100 13_2_00CE2100
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD7518 13_2_00CD7518
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE9910 13_2_00CE9910
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDAD28 13_2_00CDAD28
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD1924 13_2_00CD1924
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD4D20 13_2_00CD4D20
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC6138 13_2_00CC6138
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDB130 13_2_00CDB130
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCD6CC 13_2_00CCD6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDEAC0 13_2_00CDEAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD96D4 13_2_00CD96D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE36FC 13_2_00CE36FC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC92F0 13_2_00CC92F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC8A8C 13_2_00CC8A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE4E8C 13_2_00CE4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE2E84 13_2_00CE2E84
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCBE90 13_2_00CCBE90
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD4A90 13_2_00CD4A90
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC3ABC 13_2_00CC3ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDA6BC 13_2_00CDA6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCAAB8 13_2_00CCAAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC4EB8 13_2_00CC4EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE2AB0 13_2_00CE2AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE6E48 13_2_00CE6E48
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDA244 13_2_00CDA244
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCF65C 13_2_00CCF65C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCB258 13_2_00CCB258
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCA660 13_2_00CCA660
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC3274 13_2_00CC3274
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD0A70 13_2_00CD0A70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC3E0C 13_2_00CC3E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD020C 13_2_00CD020C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD8E08 13_2_00CD8E08
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD5A00 13_2_00CD5A00
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE8A00 13_2_00CE8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC461C 13_2_00CC461C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC4214 13_2_00CC4214
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCBA2C 13_2_00CCBA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD8A2C 13_2_00CD8A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD0E2C 13_2_00CD0E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD662C 13_2_00CD662C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC263C 13_2_00CC263C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD97CC 13_2_00CD97CC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC2FD4 13_2_00CC2FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC33D4 13_2_00CC33D4
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE27EC 13_2_00CE27EC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDFFFC 13_2_00CDFFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCA7F0 13_2_00CCA7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD5384 13_2_00CD5384
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC1B94 13_2_00CC1B94
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE47A8 13_2_00CE47A8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCDBA0 13_2_00CCDBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCFFB8 13_2_00CCFFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD8BB8 13_2_00CD8BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC8FB0 13_2_00CC8FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC975C 13_2_00CC975C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC4758 13_2_00CC4758
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDE750 13_2_00CDE750
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE8B68 13_2_00CE8B68
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCF77C 13_2_00CCF77C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC8378 13_2_00CC8378
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDD770 13_2_00CDD770
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDCF70 13_2_00CDCF70
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE5B1C 13_2_00CE5B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD4F18 13_2_00CD4F18
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCEF14 13_2_00CCEF14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CD3B14 13_2_00CD3B14
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDE310 13_2_00CDE310
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE8310 13_2_00CE8310
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CCD33C 13_2_00CCD33C
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 12_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 12_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
Source: iMedPub_LTD_4.one ReversingLabs: Detection: 30%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\iMedPub_LTD_4.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: Send to OneNote.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{BD346789-81A0-48A0-A327-1DFC3B5DC77D} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user~1\AppData\Local\Temp\{840C51EB-1960-422B-B076-56DDE4DD8741} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@11/318@1/49
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01288BC8 Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 12_2_01288BC8
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180005C69 push rdi; ret 12_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800056DD push rdi; ret 12_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297D25 push 4D8BFFFFh; retf 12_2_01297D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297D3C push ebp; retf 12_2_01297D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297D4E push ebp; iretd 12_2_01297D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01289D51 push ebp; retf 12_2_01289D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01298157 push ebp; retf 12_2_01298158
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297987 push ebp; iretd 12_2_0129798F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128A1D2 push ebp; iretd 12_2_0128A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01286C9F pushad ; ret 12_2_01286CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128A0FC push ebp; iretd 12_2_0128A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01286CDE push esi; iretd 12_2_01286CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_012980D7 push ebp; retf 12_2_012980D8
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0129C731 push esi; iretd 12_2_0129C732
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0128A26E push ebp; ret 12_2_0128A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01297EAF push 458BCC5Ah; retf 12_2_01297EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_01289E8B push eax; retf 12_2_01289E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC6CDE push esi; iretd 13_2_00CC6CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CC6C9F pushad ; ret 13_2_00CC6CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CE6D34 push edi; ret 13_2_00CE6D36
Source: C:\Windows\System32\regsvr32.exe Code function: 13_2_00CDC731 push esi; iretd 13_2_00CDC732
PE file contains sections with non-standard names
Source: radB1175.tmp.dll.10.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll
Drops PE files
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\RPJQOdVdSbhDZ\IMSnbfr.dll (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\RPJQOdVdSbhDZ\IMSnbfr.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 5184 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 5196 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 4316 Thread sleep time: -660000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 9.3 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180008D28 FindFirstFileExW, 12_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ky
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348197203.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462973550.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816817308.0000000000E22000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000002.816434632.0000000000DCB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462587375.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000D.00000003.462370814.0000000000DCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Ky
Source: wscript.exe, 0000000A.00000003.341489972.00000000058AD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.347992328.00000000058AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000A.00000003.345684098.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.348197203.00000000058D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.341314340.00000000058D3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWc
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_000000018000A878 GetProcessHeap, 12_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 12_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 213.239.212.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\radB1175.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_00000001800070A0 cpuid 12_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 12_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 12_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: iMedPub_LTD_4.one, type: SAMPLE
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.816093001.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 13.2.regsvr32.exe.c90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1060000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.regsvr32.exe.1060000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.c90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.320951815.0000000001281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815803054.0000000000CC1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.815608298.0000000000C90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.320685564.0000000001060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: iMedPub_LTD_4.one, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828507 Sample: iMedPub_LTD_4.one Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 35 129.232.188.93 xneeloZA South Africa 2->35 37 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->37 39 24 other IPs or domains 2->39 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 7 other signatures 2->55 10 ONENOTE.EXE 47 364 2->10         started        signatures3 process4 process5 12 wscript.exe 2 10->12         started        17 ONENOTEM.EXE 1 10->17         started        dnsIp6 47 penshorn.org 203.26.41.131, 443, 49701 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->47 31 C:\Users\user\AppData\...\radB1175.tmp.dll, PE32+ 12->31 dropped 33 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->33 dropped 61 System process connects to network (likely due to code injection or exploit) 12->61 19 regsvr32.exe 12->19         started        file7 signatures8 process9 process10 21 regsvr32.exe 2 19->21         started        file11 29 C:\Windows\System32\...\IMSnbfr.dll (copy), PE32+ 21->29 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->57 25 regsvr32.exe 21->25         started        signatures12 process13 dnsIp14 41 169.57.156.166, 8080 SOFTLAYERUS United States 25->41 43 1.234.2.232, 49728, 8080 SKB-ASSKBroadbandCoLtdKR Korea Republic of 25->43 45 20 other IPs or domains 25->45 59 System process connects to network (likely due to code injection or exploit) 25->59 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
penshorn.org 203.26.41.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://182.162.143.56/mmqwctzklyfzc/sythi/gsaatcnbjyw/dslbwuw/ true
  • Avira URL Cloud: malware
 unknown