Analysis Report ACH REMlTTANCE ADVlCE..xlsx

Overview

General Information

Sample Name:	ACH REMlTTANCE ADVlCE..xlsx
Analysis ID:	339432
MD5:	1726734045f013554979c6c7c1932b7c
SHA1:	b6c9fb364f0bb8726be22bdacc6dc4f3acb31f7d
SHA256:	46f4cb7548dfcb39a289f186fbd4f9ed8169e1917a29de1c3492773568e5ee45
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Yara detected HtmlPhish_25

Phishing site detected (based on image similarity)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Steals Internet Explorer cookies

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://ny990xqwsj1.typeform.com/to/qjFrxD7r

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Yara detected HtmlPhish_25

Source: Yara match	File source: 536720.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\qjFrxD7r[1].htm, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\qjFrxD7r[1].htm, type: DROPPED

Phishing site detected (based on image similarity)

Source: https://images.typeform.com/images/m9zWqYibLnGK/background/large

Matcher: Found strong image similarity, brand: Microsoft

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.225.192.231:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.225.192.231:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.35.195.250:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.35.195.250:443 -> 192.168.2.22:49199 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.247.242.19 162.247.242.19

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90BCE4B8.jpeg

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ny990xqwsj1.typeform.com

Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertSHA2SecureServerCA.crl0=
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertSHA2SecureServerCA.crl0L
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr	String found in binary or memory: http://www.jacklmoore.com/autosize
Source: renderer.0f5a683b381b67dbbf89[1].js.3.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr	String found in binary or memory: https://github.com/kof/animationFrame
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://images.typeform.com/images/FYUps4mFKPYK/image/default
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://images.typeform.com/images/HzxaK5qZrKPU/image/default
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://images.typeform.com/images/m9zWqYibLnGK/background/large
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://images.typeform.com/images/m9zWqYibLnGK/background/large);background-position:top
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://ny990xqwsj1.typefRoot
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/oembed?url=https%3A%2F%2Fny990xqwsj1.typeform.com%2Fto%2FqjFrxD7r
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7r
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7r6MlCR0S0FT
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7r6Root
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7r6om/?utm_campaign=qjFrxD7r&utm_soorm.com/to/qjFrxD7r
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7r6orm.com/to/qjFrxD7r
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7rRoot
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: https://ny990xqwsj1.typeform.com/to/qjFrxD7rz
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/apple-touch-icon.png
Source: ~DFC448DC16F91BBCE4.TMP.6.dr, qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/browserconfig.xml
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-16x16.png
Source: qjFrxD7r[1].htm.3.dr, ~DF72A7006BFF98A571.TMP.6.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png
Source: imagestore.dat.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png-
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon.ico
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/safari-pinned-tab.svg
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://public-assets.typeform.com/public/favicon/site.webmanifest
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/blocks-matrix.0544beec0e1a4e11a24a.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/form.9cd5d6381506e5950fe0.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/modern-renderer.36eec26e0148023415c0.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/phonenumber.6ea5ec50b9fa21e816ff.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/renderer.0f5a683b381b67dbbf89.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/vendors~attachment.6e37d3fcdf703c1517e1.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/vendors~blocks-ranking.f8aee16223a106724ea1.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/vendors~form.965f5dedbb854e83c6c8.js
Source: qjFrxD7r[1].htm.3.dr	String found in binary or memory: https://renderer-assets.typeform.com/vendors~phonenumber.32d788474b661d4d3074.js
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.typeform.c
Source: ~DFBC05D677CD36F01B.TMP.2.dr	String found in binary or memory: https://www.typeform.com/?utm_campaign=qjFrxD7r&utm_source=typeform.com-17523577-Free&utm_medium=typ
Source: {739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat.2.dr	String found in binary or memory: https://www.typeform.cpeform.com/to/qjFrxD7rz

Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.225.192.231:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.120:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 44.225.192.231:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49180 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.106:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.58.87:443 -> 192.168.2.22:49193 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.9.70.129:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49194 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.35.195.250:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.35.195.250:443 -> 192.168.2.22:49199 version: TLS 1.2

Source: classification engine

Classification label: mal60.phis.winXLSX@8/83@19/7

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ACH REMlTTANCE ADVlCE..xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5AF.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1976 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://ny990xqwsj1.typeform.com/to/qjFrxD7r
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2864 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://ny990xqwsj1.typeform.com/to/qjFrxD7r	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1976 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2864 CREDAT:275457 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Stealing of Sensitive Information:

Steals Internet Explorer cookies

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\EZEPC3VR.txt			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\L42YGXX7.txt			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
65.9.58.87	unknown	United States	16509	AMAZON-02US	false
44.225.192.231	unknown	United States	16509	AMAZON-02US	false
162.247.242.19	unknown	United States	23467	NEWRELIC-AS-1US	false
65.9.58.106	unknown	United States	16509	AMAZON-02US	false
52.35.195.250	unknown	United States	16509	AMAZON-02US	false
65.9.70.129	unknown	United States	16509	AMAZON-02US	false
65.9.58.120	unknown	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
d296je7bbdd650.cloudfront.net	65.9.70.129	true
api.segment.io	44.225.192.231	true
d2citsn5wf4j9j.cloudfront.net	65.9.58.106	true
d2nvsmtq2poimt.cloudfront.net	65.9.58.87	true
bam.nr-data.net	162.247.242.19	true
d2p6vz8nayi9a3.cloudfront.net	65.9.58.120	true
cdn.segment.com	unknown	unknown
renderer-assets.typeform.com	unknown	unknown
js-agent.newrelic.com	unknown	unknown
public-assets.typeform.com	unknown	unknown
images.typeform.com	unknown	unknown
ny990xqwsj1.typeform.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ny990xqwsj1.typeform.com/to/qjFrxD7r	false	SlashNext: Fake Login Page type: Phishing & Social Engineering	high
https://www.typeform.com/?utm_campaign=qjFrxD7r&utm_source=typeform.com-17523577-Free&utm_medium=typeform&utm_content=typeform-footer&utm_term=EN	false		high

ID:	339432
Product:	CloudBasic
Start time:	02:28:38
Start date:	14.01.2021
Sample:	ACH REMlTTANCE ADVlCE..xlsx
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1726734045f013554979c6c7c1932b7c
SHA1:	b6c9fb364f0bb8726be22bdacc6dc4f3acb31f7d
SHA256:	46f4cb7548dfcb39a289f186fbd4f9ed8169e1917a29de1c3492773568e5ee45
Filetype:	Excel Microsoft Office Open XML Format document (40004/1) 83.33%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	9FB559A691078558E77D6848202F6541	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\MP98E46N\ny990xqwsj1.typeform[1].xml	ASCII text, with very long lines, with no line terminators	E0B17CD8E6B15C5246DE77B578F616C2	3937AF81CF5CAC3C80C638FDE94683242D1C82C8	2E06EC78B18095F36737DF0C74921B7B55898222E3CDB15EB8BCBEDBF7FEAE74
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{739E3DFD-5653-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	591F72436BC98027DD171072E9269001	20FA5FD282D9A31114E6457BF956B0C704167368	638BE889A61D407EDE23529141EB2734E4A170B8566B0EE432FDB6725F428D96
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{78AC5478-5653-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	D8B72E95BBFA43C57C6EC38F82DD38F6	D982613B0F9445629C5DDF490FC2347177690B64	A1077BEF8153230236D9AB21C83BF865DD0B76FCFB7B77D7660373AD6B1305D9
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{739E3DFF-5653-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	BFFB43C42C114FA649AD28060F6224C8	239391FA45582A773A8E6B2656F055EC20632601	E6E4D0053C8798EBB59C30243911040A599A179FD109EA77722D425FFAC22AEB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{78AC547A-5653-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	0F37D42AAE8E1259B86ADE4D87F56931	6225FFB058A1C038FB267ED551294113C6B3A46A	E5FC991CFEC88B27843B55066CB2D65B8627A9D38120A130DD063D0226FDB020
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{78AC547B-5653-11EB-ADCF-ECF4BBB5915B}.dat	Microsoft Word Document	4DD8669F581EC52065E2E026EFED4E04	0FE740CFE15B6EFEA12FCCFAFB98AE7F975D0E1A	0F4ED79AD6F839A33FB4FDBF9A152833913D7F79F466762E0CC7989A074D2864
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\lr5drzg\imagestore.dat	data	099D4E6AADF10881B160C8C13F88941C	28ECDECD0727DD57CAD9595AF9812872B2E9E20E	9828D9E958E5339756991830B45FDB234AEBC584679CACEE656075E5A39076C2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	CDF81E591D9CBFB47A7F97A2BCDB70B9	8F12010DFAACDECAD77B70A3E781C707CF328496	204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\aa6e0ec721[1].js	ASCII text, with no line terminators	79F2D634CE67570918939DF10A075576	BA47B7DACB11250F9B1B3974B34954B188E3ECAD	D10C94B6CDB747904BAEE9070F003BB45849DA46F8100B1320F286C21CBCAAA1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\aa6e0ec721[2].js	ASCII text, with no line terminators	06DD80AEB628C60DC680BC7A4BEE6651	8C86EB7DDFF5E1E5D527BD7A41C9D3F6767E23E0	5E864C2E3F674C60970513411EAEEEAFD2D615D842E65EC01D09CCFCB4A7B38D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\default[1].png	PNG image data, 158 x 48, 8-bit/color RGBA, non-interlaced	7EDA9EC93D911B48A77B18FFAD77F7DC	1678B6CC7973C764289783D63A7797E1AE85DA99	00BAB0371C61890A7EEEF86A0C1F0E4F037861C02E78EB1BE127CA00288F91E4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\qjFrxD7r[1].htm	HTML document, UTF-8 Unicode text, with very long lines	5F8E3CF84B81846FED1820FFAFE7F8A4	D5E2F76505D5F3625E46EF2DADECDB8E81AEE387	2D5A929E571DDDE99947D402D2B823BEE42CA062A4C32735475B9A0848FF6F32
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\aa6e0ec721[1].gif	GIF image data, version 89a, 1 x 1	BC32ED98D624ACB4008F986349A20D26	2D3DF8C11D2168CE2C27E0937421D11D85016361	0C9CF152A0AD00D4F102C93C613C104914BE5517AC8F8E0831727F8BFBE8B300
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	73C70B34B5F8F158D38A94B9D7766515	E9EAA065BD6585A1B176E13615FD7E6EF96230A9	3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon-32x32[1].png	PNG image data, 32 x 32, 8-bit gray+alpha, non-interlaced	4A35A27936C43081F0865E2E603DF15D	A6D584D829C87EFF74C08F770CD2EF78EE75742E	DCAE3697C63FCB6AE03D2FD99FB96AF8B14848B71A259ED2E05DBCF5CEDEA5B2
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nr-1123.min[1].js	ASCII text, with very long lines, with no line terminators	7FFB242072196E9DB5F4F1BFBFA2ED7D	6CFD443F06C2D4E96E14765E045277B67DA0EEC5	94CDF5B7F868883DE0E1248CD80B42DD84E3F38685F2B234747550C02190DC82
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\qjFrxD7r[1].htm	HTML document, UTF-8 Unicode text, with very long lines	5F8E3CF84B81846FED1820FFAFE7F8A4	D5E2F76505D5F3625E46EF2DADECDB8E81AEE387	2D5A929E571DDDE99947D402D2B823BEE42CA062A4C32735475B9A0848FF6F32
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\renderer.0f5a683b381b67dbbf89[1].js	UTF-8 Unicode text, with very long lines, with LF, NEL line terminators	0D4FA25B79D12FA4DFF120ACB7069AF8	A28C700592908992B0489B6CE9B269DDEC2860CC	BC722206827BE6DA76A00C5B6362D0663B14264B9AFD0AFA672FED1E7E20DA85
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\LnkQ4hGmxTTD[1].png	PNG image data, 131 x 109, 8-bit/color RGBA, non-interlaced	9936A0F33BBE88F448A1E166B8CCD4A9	EBBE8544383B73EB0C8BA6733B3588F7781B5B23	B0CF2B3D20750F69559365B1926CA243502BE1E58EFBCB45E8315C943BE1BCDF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\analytics.min[1].js	ASCII text, with very long lines	C972CB2152B4CA69E1AD84AD369E5D49	2D408DC4AA2394089E145D4619793835A5745AB4	18FBDEDB7C4B401C5FFA1A76F429FEECEC9928679D485A0CE3F2EA90F709B61E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	3F57B781CB3EF114DD0B665151571B7B	CE6A63F996DF3A1CCCB81720E21204B825E0238C	46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\large[1].jpg	JPEG image data, baseline, precision 8, 1920x1080, frames 3	0554F0D0A177ACFFDF74BD226B654D77	DB298AA8FA59397323F8ABC0D91E12F64E298988	FF6D65827CC40A27DCAE15A090D56D3FB38536A3B76A3ED62732C86EC6F05AB0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\urlblockindex[1].bin	data	FA518E3DFAE8CA3A0E495460FD60C791	E4F30E49120657D37267C0162FD4A08934800C69	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\aa6e0ec721[1].gif	GIF image data, version 89a, 1 x 1	BC32ED98D624ACB4008F986349A20D26	2D3DF8C11D2168CE2C27E0937421D11D85016361	0C9CF152A0AD00D4F102C93C613C104914BE5517AC8F8E0831727F8BFBE8B300
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	6B26ECFA58E37D4B5EC861FCDD3F04FA	B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA	7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\favicon[1].ico	PNG image data, 16 x 16, 4-bit colormap, non-interlaced	9FB559A691078558E77D6848202F6541	EA13848D33C2C7F4F4BAA39348AEB1DBFAD3DF31	6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\form.9cd5d6381506e5950fe0[1].js	ASCII text, with very long lines, with no line terminators	DD7F1393ACBF039DA8D9970914488D42	6471C4824923D895CCE1D956F1D93CC6C57AB9EF	3DF9AAE60EBE3300471A343673C3771D554934DDA473CE495CD0539AEF8872A0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vendors~form.965f5dedbb854e83c6c8[1].js	UTF-8 Unicode text, with very long lines	6F33B62669DF8B6E094E941BB2F1BB39	D2A46B58E82E30176BDAF55CD018FC89AB9F0C23	645A6486495927D9FC72EDF35C46B50C990F3DCED2101C79F753F6FA8EC11E16
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90BCE4B8.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 816x1056, frames 3	89776C76604B8117DFD73CA3604286AB	097D88821166432D9C8EF52CF807353BCC34952F	5F43444269E5E9E7D1B94660AD93B9CCFED6622A1D415BDE414D478526A3F5D2
C:\Users\user\AppData\Local\Temp\~DF5AD0E20F440D8F8C.TMP	data	DCA6B45C7185E6152666C461C9E5333E	C803CDFBB15EA0C2E94B8AE760A8C1BD2BEA1FD3	A48DBE386C1EF345F94299D6D7E990A4E956515EC82A6EE41E6BBF25292C9899
C:\Users\user\AppData\Local\Temp\~DF72A7006BFF98A571.TMP	data	908775B0538E4C929A9E8A8D4DE99563	944B3EC24C23A59DB836D7C47FBFFF3004572B80	80C326A69D6DE95AF047018A759638CB8618DF209BF760CD006A80450CBFD8FB
C:\Users\user\AppData\Local\Temp\~DFAB08615A49F50372.TMP	data	6A48DE1CE1B04447581C81C3C045DA66	A53E1B15729871DC8FF0522576BA76DD4E265031	3DBD9FD45978C943376C35EDE626B08715BA29624518A806ACB9E7280566B575
C:\Users\user\AppData\Local\Temp\~DFBC05D677CD36F01B.TMP	data	C661F58B750B81690852B2782DCEB56A	91504FB6E6CCF25CDF87E56071857D6335C0735B	2701AA67281CFA4F3F6457CE2C7BCCF72F2E63E102569A861DBC305B8DF27A49
C:\Users\user\AppData\Local\Temp\~DFC448DC16F91BBCE4.TMP	data	B2A96A94A41020A71A601AA87BA593C5	4A4A86D74CF35724D9E5BC4C335FE5BDE6FA7AFA	A18FB56D5BE642CFDABE1813D43A7E4ECB382DA436DF615873FDDE0888F0860D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3QCZ05YH.txt	ASCII text	AA8A30722B18ECC2031DE8E47FBE6E83	FE0E694335736698228506189EDD8B02669B4081	3521BDF58E8163C91D86E48DA9EF9CF387DCD886941633E523C2CBED785482DA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\440HZ239.txt	ASCII text	C57D8D504C7BF71DBAABD442FCB00D1D	EEFE62257A38B0FA3C1A46C3B822FF7D3E514F5C	08F121EB1AA1F6C17EB6C7FA4B00B4C203BEE712031F97E1C8431F1B039FF053
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4AQZ4AVS.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4PKDOOYM.txt	ASCII text	70DDA74A63DBDBDEF67BB79D81B50E15	ADB475C8AA7B6D17A7BC041DAE40C45C1567C6F1	71B68D89524261CFBAD1919843B26D2B8809E14963857A242984A329B65A54F7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\6VKINCBQ.txt	ASCII text	D384057D3BF13C341768EA9877AFCA58	6D6C1B63881EB5A340E0038C70FCC8A41F25CB25	6E8DE92360EB6A34545E2D8E81E1D8FEC1D6DE09F92A84939EC2C35A47B8980B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\84PIV8PN.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\8WEWASYB.txt	ASCII text	769CBF5A34CD8CA012A218FFA99BCF5B	94D624D3A06206B5E17C97DCC5703B8852D5D393	C0C4B19B6D1D3279568EAE1BDFC443348D558FD6D4BE05B4CA8C333584D87FB9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\9EAYE1UQ.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\A3Q1GN13.txt	ASCII text	B7BC45ED470524F6416046096CA17661	C13C19C8CEFD44296D21AE43B14638695A1AA7BB	155F5612F569977E1163D7D3BF617FFD8A2122C0F848F08166816F655AD2D834
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\B61YPJUS.txt	ASCII text	683CEC41BF6A55D49CBD119806BDB0E2	03259E3ADF0A72F303FC64B78B3CB04FB4688BA9	45A46E74B2B468DB360D4E559848FC021DA1A6751CF9054BC4566871680BFC7D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\CQZDUWDX.txt	ASCII text	76DEE649B8279AA2979032089DB0F952	3A46B3F304CD42BA37B6C9174FE0B5A9F8B3480D	9E05DBC5B36ABCFD8ED21EF3C2EA9D5F51F2C657591538DE908DD113D2AD3055
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\DGJVF474.txt	ASCII text	F70C25D057B9A7F45708EEEEB6B83F9D	44D32CDB8CFFF9FE4BE65144EB6749FD6BB29A81	43634EF6187003A3BF6D1296B60105841EDD1026BD3FD02F39FD61FCF19E6200
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\EZEPC3VR.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\FI67OFMM.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\G6MNA809.txt	ASCII text	50775FD5988DF6199A8971A6DBAF3A49	1340C1988D4F25586E93B5FAE3867BBFA514A661	AA582E94AB2C1930A453483A296BBB99D760CBAC556B8CD30210D0E19082FEAD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GBP7WF6A.txt	ASCII text	A4785BF20A3DBD5749FEB5D5D9698DD7	A0741E90AEC6C5E7B1B20D3AEAB6DDFA45078E31	78D8604F9D583C2A6CE289B7842A1E00205E89D5F44E9F9BD2E9B50F134D3E9D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GIVQW2Q2.txt	ASCII text	855929C19B0D4E3A297692B133BAB983	E1FFE3309A2152E82B32284EA3DE1DE6FEAAC171	BFC36136725B8FF9C4A5D0716C10551F252850C3E7977155DDDF66282F6CB43E
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GS98OH3Z.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\GXDP9IRM.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\H5W6R21B.txt	ASCII text	1CAEA744D6C339EF8430504D7322F7C8	B2F34EEDF6B68943A4CB124E99060F548EF9E17B	4BD0CABBFCE76B33B6F5906F6A835542757F7FAAFEB7F7A080AE1BF5E7E588C7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\KF47PMGD.txt	ASCII text	B10F47F28610CD1CAE9B77676C74C05B	D9191FAA316E3ECE143D5B58F9E7587A701F4D3E	564D15F7815E964817BDDD69CC825B24BC4DE77C7E551DC3553DDA48C179A197
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\L42YGXX7.txt	ASCII text	F2BAFAEE7A36F593B120B0A8914DF229	2D1D14DCE700FA7A5ADF64047D40EC0BFF6C9C79	0CFEBCF6264642A7A1C8FB4929362832B1046EBA39E2C591D7D49601B1FEB217
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\L67IQF1E.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LJ7CSFR1.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\N6BBHH3T.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\O75T4BO6.txt	ASCII text	E540B5BC1790B191D9C52EE0FFDB52C0	B522C2152F161FD8B9B1F552CE0765DA5F419B43	375A2C99224F5B3E25E441729E707229619E4C244940DC1F0BC76A7739389084
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OJSMKIWJ.txt	ASCII text	4D00FDE8104542DC5EF5872DF9A90210	FA11B0FBB251AA3404D32E7FC96CD3A95E7C274E	5430C18460F4CF085080427C36B30D0E0C1097D3F2A85B305FBBE8FB1D34DA7B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OOTH8647.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\P10TD78T.txt	ASCII text	C3019A42FC4B3B13375CC3E95463CC48	7DDAB1B7D7166F44D39AA51CC2BD0997036F35BB	40BC29BA8EB4A5B2F5A41C9BDFFECCCBEF95B49120A5162944B3C5B95758C5D9
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PZZYJFRJ.txt	ASCII text	D7ECBF342A17B781875F4CB11CEC0189	31E3069A71508F8973C4FE078AF1B6F65AA4BA08	C86F8F329315F5E92C2812D79B61B04893DE5918CF9A0166FDA97C7074F939D6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QGL92SEJ.txt	ASCII text	3C2B45D7F7A1CC9B57E991C15DAE0826	13BD074007855ABC6337C9C26D8B9B87EC171AA7	403625A2D1B921948E3DFBC8B67119561CDDDBC69EBDB8568041E0AB1C50179F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QLEJV3Z7.txt	ASCII text	45DF527FEC774DEA28C0D9F0986A7A86	D8E888E6C33A1671551C2645EF922056C6D7664E	47626505F28734E4BD77383D162B23BFE2BF8F1DCDF503BAE572B54759A14071
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QYK7T31P.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\RWRDSMGU.txt	ASCII text	11F3C7B8DF12CF145FB1555C0F3ECBC6	608CE34AC191D41B17684DB588D6B6A719874249	DA92AAF2354C1C5906338D4925777DDDAD308DDE52C6010793BC001DD7EC7E1D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TLQ0O6XV.txt	ASCII text	4187AB60D3BBB55D950AF742E86B74D9	80520753ED1A0861B12552C8F40694CAEB565905	D1F764054692237D03DEFF6E6178480C18F4A6E16FAECD14D0A12CE121E88912
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\U2PP9MVW.txt	ASCII text	683CEC41BF6A55D49CBD119806BDB0E2	03259E3ADF0A72F303FC64B78B3CB04FB4688BA9	45A46E74B2B468DB360D4E559848FC021DA1A6751CF9054BC4566871680BFC7D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\V6L4R22H.txt	ASCII text	DE0286A64ED315A2397E2C217406F4F8	AE8EF160597279968C80A0E0D04AB525E25C5780	5BBF456591DC588CB8A917CA832E58411D300D96384FF55BC3B3741382F1014C
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WBLPQVYT.txt	ASCII text	31E51082B114573A7392EC47753DE059	83BDD4CB26DE945701300864E8BA8B573A8C31C0	01D71141E9E8539647333D3151D667DC352F6E9DBEB0276524394401B0DEF6D7
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WJUVDUR5.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\WWM5HRIM.txt	ASCII text	0D438040483AD4045EC565D4735E9E7B	DC8AEA97AC858679F8FBC7CD0312DB9EDA20BEC2	390B563DB6474933E50867C7EAE81F020F5E26A1C2002C9EA4A6F9A444E1FE8A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\XEHEBG1L.txt	ASCII text	341B497ECE139D2D27844A783016FB7C	474E34A412650786161CBA6B03433276DF22966D	3AC88811F6B1612ECC1498D2290C3239DFD8A24B09661D1A1C580A8387C014AC
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\XIKWRY8N.txt	ASCII text	F51517CC7E2CDF81D9760873659B1574	0362EA9F207ACCC54C82EA34967BB2596B87CF6A	1C18058174BEE2DBDD3050AA9DEF59216ACD64DF88204FF9273BDF71A7C1D31D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y4CMWY8S.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\YW1T938Y.txt	ASCII text	86E44791529AC5888220B2C5D3E1031F	EF2AB0F5FCBA322B848734C23CDB6A04793A6ADC	ED7AD01DBE0C284F6726BDDB8E37DEBB404ADD8BB3477290D42474765D1A3B65
C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZX0PPYVU.txt	ASCII text	14E62DEA5FAA7F6244A57EC8494CECE0	7A0753511E55AF5FC55412309FF84D3FE9B75486	5D601E79655A756048B1D95B33DCA7A6717A1E548D7FEF60922E338B85F0988B
C:\Users\user\Desktop\~$ACH REMlTTANCE ADVlCE..xlsx	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Analysis Report ACH REMlTTANCE ADVlCE..xlsx

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs