Windows Analysis Report
8846_0.one

Overview

General Information

Sample Name: 8846_0.one
Analysis ID: 830446
MD5: b4d388fd8748c7a725541d8a53151a51
SHA1: dc348918f86f3f96b8a508d9ab18788d20ae97d5
SHA256: 5697f2ac10e6f1a82497b6b8b19df905f77980ed0644ccd93d2e7bdbfd912241
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Malicious OneNote
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Run temp file via regsvr32
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Stores files to the Windows start menu directory
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Creates a start menu entry (Start Menu\Programs\Startup)
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 8846_0.one ReversingLabs: Detection: 41%
Source: 8846_0.one Virustotal: Detection: 55% Perma Link
Antivirus detection for URL or domain
Source: https://103.43.75.120:443/ncju/qfgtbvn/ Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/ncju/qfgtbvn/ Avira URL Cloud: Label: malware
Source: https://103.43.75.120/ncju/qfgtbvn/ Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/I Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ncju/qfgtbvn/Pj? Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/Gd Avira URL Cloud: Label: malware
Source: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0 Avira URL Cloud: Label: malware
Source: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ Avira URL Cloud: Label: malware
Source: https://penshorn.org/admin/Ses8712iGR8du/tM Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/ Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ Avira URL Cloud: Label: malware
Source: https://66.228.32.31:7080/ Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ncju/qfgtbvn/B Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/4 Avira URL Cloud: Label: malware
Source: https://169.57.156.166:8080/ncju/qfgtbvn/ConnectionCache-Control Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ncju/qfgtbvn/G Avira URL Cloud: Label: malware
Source: http://ozmeydan.com/cekici/9/xM Avira URL Cloud: Label: malware
Source: https://www.gomespontes.com.br/logs/pd/ Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ncju/qfgtbvn/Ih Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/mbp Avira URL Cloud: Label: malware
Source: https://91.207.28.33:8080/ebx Avira URL Cloud: Label: malware
Source: http://softwareulike.com/cWIYxWMPkK/ Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/ncju/qfgtbvn/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll ReversingLabs: Detection: 79%
Source: C:\Windows\System32\APvqE\xukoZN.dll (copy) ReversingLabs: Detection: 79%
Source: 00000004.00000002.886622640.0000000001288000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5RPyTDgAqAIg=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2tfwADgANAJA="]}
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.4:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.4:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49707 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: bbvoyage.com
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 31.31.196.172 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 186.202.153.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: www.gomespontes.com.br
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49707 -> 164.90.222.65:443
Source: Traffic Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49701 -> 91.121.146.47:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49703 -> 66.228.32.31:7080
Source: Traffic Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49704 -> 182.162.143.56:443
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49705 -> 187.63.160.88:80
Source: Traffic Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49706 -> 167.172.199.165:8080
Source: Traffic Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49708 -> 104.168.155.143:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49722 -> 1.234.2.232:8080
Source: Traffic Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.4:49724 -> 206.189.28.199:8080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 91.121.146.47:8080
Source: Malware configuration extractor IPs: 66.228.32.31:7080
Source: Malware configuration extractor IPs: 182.162.143.56:443
Source: Malware configuration extractor IPs: 187.63.160.88:80
Source: Malware configuration extractor IPs: 167.172.199.165:8080
Source: Malware configuration extractor IPs: 164.90.222.65:443
Source: Malware configuration extractor IPs: 104.168.155.143:8080
Source: Malware configuration extractor IPs: 163.44.196.120:8080
Source: Malware configuration extractor IPs: 160.16.142.56:8080
Source: Malware configuration extractor IPs: 159.89.202.34:443
Source: Malware configuration extractor IPs: 159.65.88.10:8080
Source: Malware configuration extractor IPs: 186.194.240.217:443
Source: Malware configuration extractor IPs: 149.56.131.28:8080
Source: Malware configuration extractor IPs: 72.15.201.15:8080
Source: Malware configuration extractor IPs: 1.234.2.232:8080
Source: Malware configuration extractor IPs: 82.223.21.224:8080
Source: Malware configuration extractor IPs: 206.189.28.199:8080
Source: Malware configuration extractor IPs: 169.57.156.166:8080
Source: Malware configuration extractor IPs: 107.170.39.149:8080
Source: Malware configuration extractor IPs: 103.43.75.120:443
Source: Malware configuration extractor IPs: 91.207.28.33:8080
Source: Malware configuration extractor IPs: 213.239.212.5:443
Source: Malware configuration extractor IPs: 45.235.8.30:8080
Source: Malware configuration extractor IPs: 119.59.103.152:8080
Source: Malware configuration extractor IPs: 164.68.99.3:8080
Source: Malware configuration extractor IPs: 95.217.221.146:8080
Source: Malware configuration extractor IPs: 153.126.146.25:7080
Source: Malware configuration extractor IPs: 197.242.150.244:8080
Source: Malware configuration extractor IPs: 202.129.205.3:8080
Source: Malware configuration extractor IPs: 103.132.242.26:8080
Source: Malware configuration extractor IPs: 139.59.126.41:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 183.111.227.137:8080
Source: Malware configuration extractor IPs: 5.135.159.50:443
Source: Malware configuration extractor IPs: 201.94.166.162:443
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 79.137.35.198:8080
Source: Malware configuration extractor IPs: 172.105.226.75:8080
Source: Malware configuration extractor IPs: 94.23.45.86:4143
Source: Malware configuration extractor IPs: 115.68.227.76:8080
Source: Malware configuration extractor IPs: 153.92.5.27:8080
Source: Malware configuration extractor IPs: 167.172.253.162:8080
Source: Malware configuration extractor IPs: 188.44.20.25:443
Source: Malware configuration extractor IPs: 147.139.166.154:8080
Source: Malware configuration extractor IPs: 129.232.188.93:443
Source: Malware configuration extractor IPs: 173.212.193.249:8080
Source: Malware configuration extractor IPs: 185.4.135.165:8080
Source: Malware configuration extractor IPs: 45.176.232.124:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /ncju/qfgtbvn/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 110.232.117.186 110.232.117.186
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: global traffic HTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
Source: global traffic HTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49701 -> 91.121.146.47:8080
Source: global traffic TCP traffic: 192.168.2.4:49703 -> 66.228.32.31:7080
Source: global traffic TCP traffic: 192.168.2.4:49706 -> 167.172.199.165:8080
Source: global traffic TCP traffic: 192.168.2.4:49708 -> 104.168.155.143:8080
Source: global traffic TCP traffic: 192.168.2.4:49709 -> 163.44.196.120:8080
Source: global traffic TCP traffic: 192.168.2.4:49710 -> 160.16.142.56:8080
Source: global traffic TCP traffic: 192.168.2.4:49715 -> 159.65.88.10:8080
Source: global traffic TCP traffic: 192.168.2.4:49720 -> 149.56.131.28:8080
Source: global traffic TCP traffic: 192.168.2.4:49721 -> 72.15.201.15:8080
Source: global traffic TCP traffic: 192.168.2.4:49722 -> 1.234.2.232:8080
Source: global traffic TCP traffic: 192.168.2.4:49723 -> 82.223.21.224:8080
Source: global traffic TCP traffic: 192.168.2.4:49724 -> 206.189.28.199:8080
Source: global traffic TCP traffic: 192.168.2.4:49725 -> 169.57.156.166:8080
Source: global traffic TCP traffic: 192.168.2.4:49726 -> 107.170.39.149:8080
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 91.207.28.33:8080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 10:41:08 GMTServer: ApacheX-Powered-By: PHP/7.0.33Content-Length: 0Connection: closeContent-Type: text/html;charset=utf-8
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 104.168.155.143
Source: unknown TCP traffic detected without corresponding DNS query: 163.44.196.120
Source: unknown TCP traffic detected without corresponding DNS query: 163.44.196.120
Source: unknown TCP traffic detected without corresponding DNS query: 163.44.196.120
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.142.56
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.142.56
Source: unknown TCP traffic detected without corresponding DNS query: 160.16.142.56
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: wscript.exe, 00000001.00000003.410855988.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420955265.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412126322.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413424725.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391922304.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.471546520.0000000001313000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000004.00000003.471546520.000000000135C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.470421836.000000000136F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.469695622.000000000136E000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.000000000135C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000004.00000003.471546520.000000000135C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.000000000135C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/Low
Source: regsvr32.exe, 00000004.00000003.470421836.000000000136F000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.469695622.000000000136E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/f
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577372470.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.472062790.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000004.00000003.471546520.0000000001313000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.469695622.000000000136E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?039c8a783bb8b
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420641368.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412030657.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409457535.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409669464.00000000058D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.co
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396708217.0000000005501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ozmeydan.com/cekici/9/xM
Source: wscript.exe, 00000001.00000002.420528269.0000000005747000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxW
Source: wscript.exe, 00000001.00000002.419338760.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401711047.00000000054B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396708217.0000000005501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/yM
Source: wscript.exe, 00000001.00000003.400015710.0000000005635000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.398615409.00000000055C2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399066301.00000000055D5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401946779.0000000005685000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397946549.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405536940.00000000056C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406263704.00000000056CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420508641.00000000056CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://softwareulike.com/cWIYxWMPkK/z
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: wscript.exe, 00000001.00000003.412417949.0000000005749000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420539950.000000000574A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/Gd
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420756352.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396708217.0000000005501000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/
Source: wscript.exe, 00000001.00000003.411335660.000000000513C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/0
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wrappixels.com/wp-admin/GdIA2oOQEiO5G/zM
Source: regsvr32.exe, 00000004.00000002.887361819.00000000034E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://10.207.28.33:8080/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://103.43.75.120:443/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001302000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://104.168.155.143:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.000000000135C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://107.170.39.149:8080/4
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://160.16.142.56:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577372470.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/
Source: regsvr32.exe, 00000004.00000003.577372470.00000000012E3000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://164.90.222.65/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.000000000135C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://169.57.156.166:8080/ncju/qfgtbvn/ConnectionCache-Control
Source: regsvr32.exe, 00000004.00000002.886694503.000000000135C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://184.168.155.143:8080/
Source: regsvr32.exe, 00000004.00000002.887130157.000000000334E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://186.194.240.217/ncju/qfgtbvn//Nk7
Source: regsvr32.exe, 00000004.00000003.577372470.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://187.172.199.165:8080/
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://206.189.28.199:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080//
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/3
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://66.228.32.31:7080/K
Source: regsvr32.exe, 00000004.00000003.577252233.0000000001302000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.886694503.0000000001302000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://662.162.143.56/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001376000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://72.15.201.15:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://82.223.21.224:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.887361819.00000000034E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://826.189.28.199:8080/
Source: regsvr32.exe, 00000004.00000002.886622640.0000000001288000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000004.00000002.886622640.0000000001288000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.886694503.0000000001302000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.121.146.47:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ebx
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/mbp
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ncju/qfgtbvn/
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ncju/qfgtbvn/B
Source: regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ncju/qfgtbvn/G
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ncju/qfgtbvn/Ih
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://91.207.28.33:8080/ncju/qfgtbvn/Pj?
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.aadrm.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.cortana.ai
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.office.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.onedrive.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://api.scheduler.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://augloop.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420641368.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412030657.00000000058D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409457535.00000000058D0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409669464.00000000058D7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.co0
Source: wscript.exe, 00000001.00000002.420756352.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410172116.0000000005963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6H
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391922304.00000000059CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413424725.00000000059D2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412574414.0000000005145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/
Source: wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409314654.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410102687.00000000058FA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409380578.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409564770.00000000058EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/.dll
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/uM
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.entity.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cortana.ai
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cortana.ai/api
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://cr.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://d.docs.live.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://directory.services.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://graph.windows.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://graph.windows.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://invites.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://login.windows.local
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://make.powerautomate.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://management.azure.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://management.azure.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.action.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.engagement.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://messaging.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://microsoftapc-my.sharepoint.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://officeapps.live.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://onedrive.live.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://otelrules.azureedge.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office365.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396708217.0000000005501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410172116.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.402988298.0000000005608000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406263704.00000000056BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407270465.000000000577D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413912205.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406263704.00000000056A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405862655.0000000005655000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419338760.00000000054B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412417949.0000000005749000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401650734.00000000055E9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406822038.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420563216.0000000005750000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401711047.00000000054B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org/admin/Ses8712iGR8du/tM
Source: wscript.exe, 00000001.00000002.420756352.0000000005963000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410172116.0000000005963000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://penshorn.org:443/admin/Ses8712iGR8du/8.0)
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396708217.0000000005501000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/
Source: wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409805499.000000000591E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409314654.00000000058D9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412084830.0000000005929000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410032068.0000000005922000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409380578.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409564770.00000000058EA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/w35047
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://portalevolucao.com/GerarBoleto/fLIOoFbFs1jHtX/wM
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://pushchannel.1drv.ms
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://settings.outlook.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://tasks.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: wscript.exe, 00000001.00000003.412126322.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413424725.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420955265.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410855988.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391922304.0000000005A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/
Source: wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.411607010.000000000599A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420832267.00000000059A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/R
Source: wscript.exe, wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412126322.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.407332716.0000000005846000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406516474.0000000005718000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.406615479.0000000005765000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.000000000552C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.399039460.0000000005547000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408710769.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000566B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.408476560.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.405922290.000000000567E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.404823055.00000000056D7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413070673.0000000005817000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.419988118.0000000005581000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412574414.0000000005145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.409633319.000000000590F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.396283294.00000000054D1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.401845274.00000000055E1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.397846612.00000000054F7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.395825240.00000000054CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/
Source: wscript.exe, 00000001.00000003.412126322.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413424725.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420955265.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410855988.0000000005A25000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391922304.0000000005A25000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/I
Source: wscript.exe, 00000001.00000003.411335660.0000000005141000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gomespontes.com.br/logs/pd/vM
Source: 9204E5E0-0B60-432B-8209-3A8845F9936A.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown HTTP traffic detected: POST /ncju/qfgtbvn/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65
Source: unknown DNS traffic detected: queries for: penshorn.org
Source: global traffic HTTP traffic detected: GET /admin/Ses8712iGR8du/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: penshorn.org
Source: global traffic HTTP traffic detected: GET /useragreement/ElKHvb4QIQqSrh6Hqm/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbvoyage.com
Source: global traffic HTTP traffic detected: GET /logs/pd/ HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: www.gomespontes.com.br
Source: unknown HTTPS traffic detected: 203.26.41.131:443 -> 192.168.2.4:49698 version: TLS 1.2
Source: unknown HTTPS traffic detected: 31.31.196.172:443 -> 192.168.2.4:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 186.202.153.5:443 -> 192.168.2.4:49700 version: TLS 1.2
Source: unknown HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49707 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.886622640.0000000001288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 4.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.886565395.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.390164485.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.886899027.0000000001511000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.390216129.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Yara signature match
Source: 00000001.00000003.410172116.000000000594E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: WEBSHELL_asp_generic date = 2021-03-07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2023-01-06
Creates files inside the system directory
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\system32\APvqE\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180006818 3_2_0000000180006818
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000B878 3_2_000000018000B878
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180007110 3_2_0000000180007110
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180014555 3_2_0000000180014555
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00650000 3_2_00650000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AA000 3_2_006AA000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069CC14 3_2_0069CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A709C 3_2_006A709C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00697D6C 3_2_00697D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069263C 3_2_0069263C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00698BC8 3_2_00698BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A8FC8 3_2_006A8FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AB460 3_2_006AB460
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00692C78 3_2_00692C78
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069C078 3_2_0069C078
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069B07C 3_2_0069B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A6C70 3_2_006A6C70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069D474 3_2_0069D474
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AC44C 3_2_006AC44C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00697840 3_2_00697840
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AC058 3_2_006AC058
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B5450 3_2_006B5450
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069B83C 3_2_0069B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A1030 3_2_006A1030
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AEC30 3_2_006AEC30
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00699408 3_2_00699408
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00697C08 3_2_00697C08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00691000 3_2_00691000
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B181C 3_2_006B181C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A20E0 3_2_006A20E0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006990F8 3_2_006990F8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006948FC 3_2_006948FC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00693CF4 3_2_00693CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006980CC 3_2_006980CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A08CC 3_2_006A08CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069F8C4 3_2_0069F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A5CC4 3_2_006A5CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006918DC 3_2_006918DC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006914D4 3_2_006914D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A3CD4 3_2_006A3CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006998AC 3_2_006998AC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069DCB8 3_2_0069DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B94BC 3_2_006B94BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AA8B0 3_2_006AA8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A5880 3_2_006A5880
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00694C84 3_2_00694C84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006ACC84 3_2_006ACC84
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069AC94 3_2_0069AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AAD28 3_2_006AAD28
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A4D20 3_2_006A4D20
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A1924 3_2_006A1924
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00696138 3_2_00696138
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00697530 3_2_00697530
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AB130 3_2_006AB130
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A610C 3_2_006A610C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B8500 3_2_006B8500
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7518 3_2_006A7518
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B9910 3_2_006B9910
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AD5F0 3_2_006AD5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A15C8 3_2_006A15C8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006ABDA0 3_2_006ABDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006995BC 3_2_006995BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069A660 3_2_0069A660
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A0A70 3_2_006A0A70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00693274 3_2_00693274
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AA244 3_2_006AA244
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069B258 3_2_0069B258
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069F65C 3_2_0069F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069BA2C 3_2_0069BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A8A2C 3_2_006A8A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A0E2C 3_2_006A0E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A662C 3_2_006A662C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A8E08 3_2_006A8E08
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00693E0C 3_2_00693E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A020C 3_2_006A020C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A5A00 3_2_006A5A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B8A00 3_2_006B8A00
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069461C 3_2_0069461C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00694214 3_2_00694214
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006992F0 3_2_006992F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069D6CC 3_2_0069D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AEAC0 3_2_006AEAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A96D4 3_2_006A96D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069AAB8 3_2_0069AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00694EB8 3_2_00694EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00693ABC 3_2_00693ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AA6BC 3_2_006AA6BC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00698A8C 3_2_00698A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B4E8C 3_2_006B4E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069BE90 3_2_0069BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A4A90 3_2_006A4A90
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00698378 3_2_00698378
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069F77C 3_2_0069F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AD770 3_2_006AD770
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006ACF70 3_2_006ACF70
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00694758 3_2_00694758
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069975C 3_2_0069975C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AE750 3_2_006AE750
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069D33C 3_2_0069D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A4F18 3_2_006A4F18
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AE310 3_2_006AE310
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069EF14 3_2_0069EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A3B14 3_2_006A3B14
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006B27EC 3_2_006B27EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069A7F0 3_2_0069A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A97CC 3_2_006A97CC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A3FD0 3_2_006A3FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00692FD4 3_2_00692FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006933D4 3_2_006933D4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069DBA0 3_2_0069DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069FFB8 3_2_0069FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A8BB8 3_2_006A8BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00698FB0 3_2_00698FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A5384 3_2_006A5384
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00691B94 3_2_00691B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01210000 4_2_01210000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01517D6C 4_2_01517D6C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151CC14 4_2_0151CC14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151640A 4_2_0151640A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015208CC 4_2_015208CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01519B79 4_2_01519B79
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01523FD0 4_2_01523FD0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01518BC8 4_2_01518BC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01528FC8 4_2_01528FC8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015163F4 4_2_015163F4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015373A4 4_2_015373A4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01516E42 4_2_01516E42
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01530618 4_2_01530618
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01534D64 4_2_01534D64
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01539910 4_2_01539910
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527518 4_2_01527518
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01538500 4_2_01538500
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01532100 4_2_01532100
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152610C 4_2_0152610C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152B130 4_2_0152B130
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01516138 4_2_01516138
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01524D20 4_2_01524D20
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01521924 4_2_01521924
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152AD28 4_2_0152AD28
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015215C8 4_2_015215C8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152D5F0 4_2_0152D5F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015195BC 4_2_015195BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152BDA0 4_2_0152BDA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01535450 4_2_01535450
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152C058 4_2_0152C058
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01517840 4_2_01517840
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152C44C 4_2_0152C44C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01526C70 4_2_01526C70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151D474 4_2_0151D474
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01512C78 4_2_01512C78
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151C078 4_2_0151C078
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151B07C 4_2_0151B07C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152B460 4_2_0152B460
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01535868 4_2_01535868
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01517410 4_2_01517410
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0153181C 4_2_0153181C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01511000 4_2_01511000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152A000 4_2_0152A000
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01517C08 4_2_01517C08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01519408 4_2_01519408
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01521030 4_2_01521030
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152EC30 4_2_0152EC30
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151B83C 4_2_0151B83C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015114D4 4_2_015114D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01523CD4 4_2_01523CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01531CD4 4_2_01531CD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015118DC 4_2_015118DC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151F8C4 4_2_0151F8C4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01525CC4 4_2_01525CC4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015180CC 4_2_015180CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01513CF4 4_2_01513CF4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015190F8 4_2_015190F8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015148FC 4_2_015148FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015220E0 4_2_015220E0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151AC94 4_2_0151AC94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01531494 4_2_01531494
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152709C 4_2_0152709C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01525880 4_2_01525880
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01514C84 4_2_01514C84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152CC84 4_2_0152CC84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0153488C 4_2_0153488C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152A8B0 4_2_0152A8B0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151DCB8 4_2_0151DCB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015394BC 4_2_015394BC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015344A8 4_2_015344A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015198AC 4_2_015198AC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152E750 4_2_0152E750
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01514758 4_2_01514758
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151975C 4_2_0151975C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152D770 4_2_0152D770
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152CF70 4_2_0152CF70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01518378 4_2_01518378
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151F77C 4_2_0151F77C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01538B68 4_2_01538B68
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152E310 4_2_0152E310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01538310 4_2_01538310
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151EF14 4_2_0151EF14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01523B14 4_2_01523B14
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01524F18 4_2_01524F18
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01535B1C 4_2_01535B1C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151D33C 4_2_0151D33C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01512FD4 4_2_01512FD4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015133D4 4_2_015133D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015297CC 4_2_015297CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151A7F0 4_2_0151A7F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152FFFC 4_2_0152FFFC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015327EC 4_2_015327EC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01511B94 4_2_01511B94
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152779A 4_2_0152779A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01525384 4_2_01525384
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01518FB0 4_2_01518FB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151FFB8 4_2_0151FFB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01528BB8 4_2_01528BB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151DBA0 4_2_0151DBA0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015347A8 4_2_015347A8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151B258 4_2_0151B258
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151F65C 4_2_0151F65C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152A244 4_2_0152A244
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01536E48 4_2_01536E48
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01520A70 4_2_01520A70
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01513274 4_2_01513274
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151A660 4_2_0151A660
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01514214 4_2_01514214
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151461C 4_2_0151461C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01525A00 4_2_01525A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01538A00 4_2_01538A00
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01528E08 4_2_01528E08
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01513E0C 4_2_01513E0C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152020C 4_2_0152020C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151263C 4_2_0151263C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151BA2C 4_2_0151BA2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01528A2C 4_2_01528A2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01520E2C 4_2_01520E2C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152662C 4_2_0152662C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015296D4 4_2_015296D4
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152EAC0 4_2_0152EAC0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151D6CC 4_2_0151D6CC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015192F0 4_2_015192F0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_015336FC 4_2_015336FC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151BE90 4_2_0151BE90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01524A90 4_2_01524A90
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01532E84 4_2_01532E84
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01518A8C 4_2_01518A8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01534E8C 4_2_01534E8C
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01532AB0 4_2_01532AB0
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0151AAB8 4_2_0151AAB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01514EB8 4_2_01514EB8
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527EBE 4_2_01527EBE
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01513ABC 4_2_01513ABC
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152A6BC 4_2_0152A6BC
Contains functionality to call native functions
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert, 3_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject, 3_2_0000000180010DB0
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll 2F39C2879989DDD7F9ECF52B6232598E5595F8BF367846FF188C9DFBF1251253
Source: 8846_0.one ReversingLabs: Detection: 41%
Source: 8846_0.one Virustotal: Detection: 55%
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE" "C:\Users\user\Desktop\8846_0.one
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll"
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\APvqE\xukoZN.dll"
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Local\Temp\click.wsf" Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process created: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE /tsr Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\APvqE\xukoZN.dll" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: Send to OneNote.lnk.0.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\Documents\{648E277F-12C2-4FEB-937C-E28C5FEAD81A} Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Local\Temp\{9E57F28E-E61E-4B72-AC07-75DEC2311600} - OProcSessId.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winONE@11/325@4/51
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00698BC8 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,FindCloseChangeNotification, 3_2_00698BC8
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Mutant created: \Sessions\1\BaseNamedObjects\OneNoteM:AppShared
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180005C69 push rdi; ret 3_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800056DD push rdi; ret 3_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069A0FC push ebp; iretd 3_2_0069A0FD
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00696CDE push esi; iretd 3_2_00696CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A80D7 push ebp; retf 3_2_006A80D8
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00696C9F pushad ; ret 3_2_00696CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7D4E push ebp; iretd 3_2_006A7D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00699D51 push ebp; retf 3_2_00699D5A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A8157 push ebp; retf 3_2_006A8158
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7D25 push 4D8BFFFFh; retf 3_2_006A7D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7D3C push ebp; retf 3_2_006A7D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069A1D2 push ebp; iretd 3_2_0069A1D3
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7987 push ebp; iretd 3_2_006A798F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0069A26E push ebp; ret 3_2_0069A26F
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006A7EAF push 458BCC5Ah; retf 3_2_006A7EBC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00699E8B push eax; retf 3_2_00699E8E
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_006AC731 push esi; iretd 3_2_006AC732
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527D4E push ebp; iretd 4_2_01527D4F
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01536D34 push edi; ret 4_2_01536D36
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527D3C push ebp; retf 4_2_01527D3D
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527D25 push 4D8BFFFFh; retf 4_2_01527D2A
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01516CDE push esi; iretd 4_2_01516CDF
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01516C9F pushad ; ret 4_2_01516CAA
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_0152C731 push esi; iretd 4_2_0152C732
Source: C:\Windows\System32\regsvr32.exe Code function: 4_2_01527EAF push 458BCC5Ah; retf 4_2_01527EBC
PE file contains sections with non-standard names
Source: rad69C50.tmp.dll.1.dr Static PE information: section name: _RDATA
Registers a DLL
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll
Drops PE files
Source: C:\Windows\SysWOW64\wscript.exe File created: C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\APvqE\xukoZN.dll (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\regsvr32.exe File created: C:\Windows\System32\APvqE\xukoZN.dll (copy) Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\System32\regsvr32.exe File opened: C:\Windows\system32\APvqE\xukoZN.dll:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTE.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\ONENOTEM.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\wscript.exe TID: 5704 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5352 Thread sleep time: -570000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\regsvr32.exe API coverage: 8.0 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180008D28 FindFirstFileExW, 3_2_0000000180008D28
Source: C:\Windows\System32\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: regsvr32.exe, 00000004.00000003.471546520.0000000001313000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.577252233.0000000001313000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWKG
Source: wscript.exe, 00000001.00000003.391922304.00000000059DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\@
Source: wscript.exe, 00000001.00000003.391922304.0000000005992000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410529992.000000000599A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.410855988.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420955265.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.411607010.000000000599A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.412126322.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.413424725.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.420832267.00000000059A2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.391922304.00000000059DC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.471546520.0000000001313000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000002.886694503.0000000001312000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000004.00000002.886694503.00000000012CC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000004.00000003.471546520.00000000012CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWj1
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_000000018000A878 GetProcessHeap, 3_2_000000018000A878
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory, 3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00000001800017DC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.65.88.10 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 164.90.222.65 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: penshorn.org
Source: C:\Windows\System32\regsvr32.exe Network Connect: 186.194.240.217 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 104.168.155.143 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 159.89.202.34 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 160.16.142.56 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.121.146.47 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 91.207.28.33 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 103.43.75.120 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: bbvoyage.com
Source: C:\Windows\System32\regsvr32.exe Network Connect: 72.15.201.15 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 163.44.196.120 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 206.189.28.199 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 31.31.196.172 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 186.202.153.5 443 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Network Connect: 203.26.41.131 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 107.170.39.149 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 187.63.160.88 80 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 66.228.32.31 7080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 82.223.21.224 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 149.56.131.28 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 169.57.156.166 8080 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Domain query: www.gomespontes.com.br
Source: C:\Windows\System32\regsvr32.exe Network Connect: 182.162.143.56 443 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 1.234.2.232 8080 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Network Connect: 167.172.199.165 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\System32\regsvr32.exe" "C:\Users\user\AppData\Local\Temp\rad69C50.tmp.dll Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_00000001800070A0 cpuid 3_2_00000001800070A0
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Code function: 3_2_0000000180001D98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_0000000180001D98

Stealing of Sensitive Information
barindex
Yara detected Malicious OneNote
Source: Yara match File source: 8846_0.one, type: SAMPLE
Yara detected Emotet
Source: Yara match File source: 00000004.00000002.886622640.0000000001288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 4.2.regsvr32.exe.1220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.660000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.660000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.regsvr32.exe.1220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.886565395.0000000001220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.390164485.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.886899027.0000000001511000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.390216129.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected Malicious OneNote
Source: Yara match File source: 8846_0.one, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830446 Sample: 8846_0.one Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 129.232.188.93 xneeloZA South Africa 2->35 37 45.235.8.30 WIKINETTELECOMUNICACOESBR Brazil 2->37 39 25 other IPs or domains 2->39 53 Snort IDS alert for network traffic 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 6 other signatures 2->59 10 ONENOTE.EXE 47 369 2->10         started        signatures3 process4 process5 12 wscript.exe 4 10->12         started        17 ONENOTEM.EXE 1 10->17         started        dnsIp6 47 gomespontes.com.br 186.202.153.5, 443, 49700 LocawebServicosdeInternetSABR Brazil 12->47 49 penshorn.org 203.26.41.131, 443, 49698 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->49 51 2 other IPs or domains 12->51 31 C:\Users\user\AppData\...\rad69C50.tmp.dll, PE32+ 12->31 dropped 33 C:\Users\user\AppData\Local\Temp\click.wsf, ASCII 12->33 dropped 65 System process connects to network (likely due to code injection or exploit) 12->65 19 regsvr32.exe 12->19         started        file7 signatures8 process9 process10 21 regsvr32.exe 2 19->21         started        file11 29 C:\Windows\System32\APvqE\xukoZN.dll (copy), PE32+ 21->29 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->61 25 regsvr32.exe 21->25         started        signatures12 process13 dnsIp14 41 169.57.156.166, 8080 SOFTLAYERUS United States 25->41 43 1.234.2.232, 49722, 8080 SKB-ASSKBroadbandCoLtdKR Korea Republic of 25->43 45 19 other IPs or domains 25->45 63 System process connects to network (likely due to code injection or exploit) 25->63 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
103.132.242.26
 unknown India
45117 INPL-IN-APIshansNetworkIN true
104.168.155.143
 unknown United States
54290 HOSTWINDSUS true
79.137.35.198
 unknown France
16276 OVHFR true
115.68.227.76
 unknown Korea Republic of
38700 SMILESERV-AS-KRSMILESERVKR true
163.44.196.120
 unknown Singapore
135161 GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG true
206.189.28.199
 unknown United States
14061 DIGITALOCEAN-ASNUS true
31.31.196.172
 bbvoyage.com Russian Federation
197695 AS-REGRU true
186.202.153.5
 gomespontes.com.br Brazil
27715 LocawebServicosdeInternetSABR true
203.26.41.131
 penshorn.org Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
107.170.39.149
 unknown United States
14061 DIGITALOCEAN-ASNUS true
66.228.32.31
 unknown United States
63949 LINODE-APLinodeLLCUS true
197.242.150.244
 unknown South Africa
37611 AfrihostZA true
185.4.135.165
 unknown Greece
199246 TOPHOSTGR true
183.111.227.137
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
45.176.232.124
 unknown Colombia
267869 CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC true
169.57.156.166
 unknown United States
36351 SOFTLAYERUS true
164.68.99.3
 unknown Germany
51167 CONTABODE true
139.59.126.41
 unknown Singapore
14061 DIGITALOCEAN-ASNUS true
167.172.253.162
 unknown United States
14061 DIGITALOCEAN-ASNUS true
167.172.199.165
 unknown United States
14061 DIGITALOCEAN-ASNUS true
202.129.205.3
 unknown Thailand
45328 NIPA-AS-THNIPATECHNOLOGYCOLTDTH true
147.139.166.154
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
153.92.5.27
 unknown Germany
47583 AS-HOSTINGERLT true
159.65.88.10
 unknown United States
14061 DIGITALOCEAN-ASNUS true
172.105.226.75
 unknown United States
63949 LINODE-APLinodeLLCUS true
164.90.222.65
 unknown United States
14061 DIGITALOCEAN-ASNUS true
213.239.212.5
 unknown Germany
24940 HETZNER-ASDE true
5.135.159.50
 unknown France
16276 OVHFR true
186.194.240.217
 unknown Brazil
262733 NetceteraTelecomunicacoesLtdaBR true
119.59.103.152
 unknown Thailand
56067 METRABYTE-TH453LadplacoutJorakhaebuaTH true
159.89.202.34
 unknown United States
14061 DIGITALOCEAN-ASNUS true
91.121.146.47
 unknown France
16276 OVHFR true
160.16.142.56
 unknown Japan 9370 SAKURA-BSAKURAInternetIncJP true
201.94.166.162
 unknown Brazil
28573 CLAROSABR true
91.207.28.33
 unknown Kyrgyzstan
39819 PROHOSTKG true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
103.43.75.120
 unknown Japan 20473 AS-CHOOPAUS true
188.44.20.25
 unknown Macedonia
57374 GIV-ASMK true
45.235.8.30
 unknown Brazil
267405 WIKINETTELECOMUNICACOESBR true
153.126.146.25
 unknown Japan 7684 SAKURA-ASAKURAInternetIncJP true
72.15.201.15
 unknown United States
13649 ASN-VINSUS true
187.63.160.88
 unknown Brazil
28169 BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR true
82.223.21.224
 unknown Spain
8560 ONEANDONE-ASBrauerstrasse48DE true
173.212.193.249
 unknown Germany
51167 CONTABODE true
95.217.221.146
 unknown Germany
24940 HETZNER-ASDE true
149.56.131.28
 unknown Canada
16276 OVHFR true
182.162.143.56
 unknown Korea Republic of
3786 LGDACOMLGDACOMCorporationKR true
1.234.2.232
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
129.232.188.93
 unknown South Africa
37153 xneeloZA true
94.23.45.86
 unknown France
16276 OVHFR true

Contacted Domains

Name IP Active
bbvoyage.com 31.31.196.172 true
gomespontes.com.br 186.202.153.5 true
penshorn.org 203.26.41.131 true
www.gomespontes.com.br unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bbvoyage.com/useragreement/ElKHvb4QIQqSrh6Hqm/ true
  • Avira URL Cloud: malware
 unknown
https://www.gomespontes.com.br/logs/pd/ true
  • Avira URL Cloud: malware
 unknown