Play interactive tour
Edit tourAnalysis Report Current-Status-062021-81197.xlsb
Overview
General Information
| Sample Name: | Current-Status-062021-81197.xlsb |
| Analysis ID: | 432839 |
| MD5: | 1ac719c744d22f42e4978e7b55828435 |
| SHA1: | 4ddc7358f615987bf92ed9192430693db65b097c |
| SHA256: | d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb |
| Infos: | |
Most interesting Screenshot:  | |
Detection
Hidden Macro 4.0
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Classification
Process Tree |
|---|
|
Malware Configuration |
|---|
| No configs have been found |
|---|
Yara Overview |
|---|
Initial Sample |
|---|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
|---|
System Summary: |   |
|---|
| Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources | ||
| Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: | ||
Signature Overview |
|---|
Click to jump to signature section
Show All Signature Results
AV Detection: | |
|---|
| Multi AV Scanner detection for domain / URL | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Multi AV Scanner detection for dropped file | Show sources | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Multi AV Scanner detection for submitted file | Show sources | ||
| Source: | Virustotal: | Perma Link | ||
| Machine Learning detection for dropped file | Show sources | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | File opened: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Software Vulnerabilities: | |
|---|
| Document exploit detected (drops PE files) | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
| Document exploit detected (UrlDownloadToFile) | Show sources | ||
| Source: | Section loaded: | ||
| Document exploit detected (process start blacklist hit) | Show sources | ||
| Source: | Process created: | ||
| Source: | DNS query: | ||
| Source: | TCP traffic: | ||
| Source: | TCP traffic: | ||
| Source: | ASN Name: | ||
| Source: | JA3 fingerprint: | ||
| Source: | Code function: | ||
| Source: | DNS traffic detected: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | String found in binary or memory: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
System Summary: | |
|---|
| Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources | ||
| Source: | Screenshot OCR: | ||
| Source: | Screenshot OCR: | ||
| Contains functionality to create processes via WMI | Show sources | ||
| Source: | Binary or memory string: | ||
| Found abnormal large hidden Excel 4.0 Macro sheet | Show sources | ||
| Source: | Initial sample: | ||
| Office process drops PE file | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Process Stats: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Dropped File: | ||
| Source: | Dropped File: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Classification label: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Mutant created: | ||
| Source: | File created: | Jump to behavior | ||
| Source: | Command line argument: | ||
| Source: | WMI Queries: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Key opened: | ||
| Source: | File read: | Jump to behavior | ||
| Source: | File read: | Jump to behavior | ||
| Source: | Virustotal: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Process created: | ||
| Source: | Key value queried: | ||
| Source: | Window detected: | ||
| Source: | Initial sample: | ||
| Source: | Key opened: | ||
| Source: | File opened: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Persistence and Installation Behavior: | |
|---|
| Creates processes via WMI | Show sources | ||
| Source: | WMI Queries: | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | File created: | Jump to dropped file | ||
Boot Survival: | |
|---|
| Drops PE files to the user root directory | Show sources | ||
| Source: | File created: | Jump to dropped file | ||
| Source: | Code function: | ||
| Source: | Registry key monitored for changes: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Process information set: | ||
| Source: | Code function: | ||
| Source: | API coverage: | ||
| Source: | Last function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Process information queried: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | File source: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Binary or memory string: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
| Source: | Code function: | ||
Mitre Att&ck Matrix |
|---|
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Windows Management Instrumentation21 | Application Shimming1 | Application Shimming1 | Disable or Modify Tools1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
| Default Accounts | Scripting1 | Boot or Logon Initialization Scripts | Process Injection2 | Deobfuscate/Decode Files or Information1 | LSASS Memory | Account Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Encrypted Channel12 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
| Domain Accounts | Native API1 | Logon Script (Windows) | Logon Script (Windows) | Scripting1 | Security Account Manager | File and Directory Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
| Local Accounts | Exploitation for Client Execution33 | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information2 | NTDS | System Information Discovery24 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol2 | SIM Card Swap | Carrier Billing Fraud | |
| Cloud Accounts | Command and Scripting Interpreter2 | Network Logon Script | Network Logon Script | Masquerading121 | LSA Secrets | Query Registry1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
| Replication Through Removable Media | Launchd | Rc.common | Rc.common | Process Injection2 | Cached Domain Credentials | Security Software Discovery121 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
| External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | Process Discovery2 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
| Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | System Owner/User Discovery1 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
| Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | Remote System Discovery1 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction | |
| Supply Chain Compromise | AppleScript | At (Windows) | At (Windows) | Invalid Code Signature | Network Sniffing | System Network Configuration Discovery1 | Taint Shared Content | Local Data Staging | Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | File Transfer Protocols | Data Encrypted for Impact |
Behavior Graph |
|---|
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
InternetScreenshots |
|---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
|---|
Initial Sample |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | Virustotal | Browse | ||
| 2% | ReversingLabs |
Dropped Files |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 100% | Joe Sandbox ML | |||
| 100% | Joe Sandbox ML | |||
| 17% | ReversingLabs | |||
| 17% | ReversingLabs |
Unpacked PE Files |
|---|
| No Antivirus matches |
|---|
Domains |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 8% | Virustotal | Browse |
URLs |
|---|
| Source | Detection | Scanner | Label | Link |
|---|---|---|---|---|
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Virustotal | Browse | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | URL Reputation | safe | ||
| 0% | Avira URL Cloud | safe |
Domains and IPs |
|---|
Contacted Domains |
|---|
| Name | IP | Active | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|---|
| injuryless.com | 193.178.169.243 | true | true |
| unknown |
| pigeonious.com | 95.142.44.93 | true | false | unknown |
URLs from Memory and Binaries |
|---|
| Name | Source | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|---|
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| true |
| unknown | ||
| false | high | |||
| true |
| unknown | ||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| false | high | |||
| false | high | |||
| false | high | |||
| false | high | |||
| true |
| unknown | ||
| false |
| unknown | ||
| false |
| unknown | ||
| true |
| unknown |
Contacted IPs |
|---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
|---|
| IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
|---|---|---|---|---|---|---|
| 193.178.169.243 | injuryless.com | unknown | 48282 | VDSINA-ASRU | true | |
| 95.142.44.93 | pigeonious.com | Russian Federation | 210079 | EUROBYTEEurobyteLLCMoscowRussiaRU | false |
General Information |
|---|
| Joe Sandbox Version: | 32.0.0 Black Diamond |
| Analysis ID: | 432839 |
| Start date: | 10.06.2021 |
| Start time: | 20:29:54 |
| Joe Sandbox Product: | CloudBasic |
| Overall analysis duration: | 0h 10m 55s |
| Hypervisor based Inspection enabled: | false |
| Report type: | light |
| Sample file name: | Current-Status-062021-81197.xlsb |
| Cookbook file name: | defaultwindowsofficecookbook.jbs |
| Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
| Number of analysed new started processes analysed: | 22 |
| Number of new started drivers analysed: | 0 |
| Number of existing processes analysed: | 0 |
| Number of existing drivers analysed: | 0 |
| Number of injected processes analysed: | 0 |
| Technologies: |
|
| Analysis Mode: | default |
| Analysis stop reason: | Timeout |
| Detection: | MAL |
| Classification: | mal100.expl.evad.winXLSB@5/8@2/2 |
| EGA Information: |
|
| HDC Information: |
|
| HCA Information: | Failed |
| Cookbook Comments: |
|
| Warnings: | Show All
|
Simulations |
|---|
Behavior and APIs |
|---|
| Time | Type | Description |
|---|---|---|
| 20:30:52 | API Interceptor |
Joe Sandbox View / Context |
|---|
IPs |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 193.178.169.243 | Get hash | malicious | Browse | ||
| Get hash | malicious | Browse | |||
| Get hash | malicious | Browse | |||
| 95.142.44.93 | Get hash | malicious | Browse |
Domains |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| pigeonious.com | Get hash | malicious | Browse |
| |
| injuryless.com | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
ASN |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| VDSINA-ASRU | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| EUROBYTEEurobyteLLCMoscowRussiaRU | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
JA3 Fingerprints |
|---|
| Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
|---|---|---|---|---|---|
| 37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
| ||
| Get hash | malicious | Browse |
|
Dropped Files |
|---|
Created / dropped Files |
|---|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 511488 |
| Entropy (8bit): | 7.3404073760047375 |
| Encrypted: | false |
| SSDEEP: | 12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N |
| MD5: | 526D56017EF5105277FE0D366C95C39D |
| SHA1: | 78A40D523F4B887B2383681FECE447EF911C24EF |
| SHA-256: | 28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2 |
| SHA-512: | F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 134922 |
| Entropy (8bit): | 5.369119258003808 |
| Encrypted: | false |
| SSDEEP: | 1536:4cQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:gEQ9DQW+ziXOe |
| MD5: | 042D3F746892226A7BE71431B6635EBD |
| SHA1: | A171A408788DD9EE855D4C87E960E98CF4C43ED0 |
| SHA-256: | F0FF8798D6B5E8D85FADFF08F7A9974F0843DF23BE340F28B886C9E84F0BB6FC |
| SHA-512: | 9AAF01336D99A1754C9C1B5AB6AEA9402CC2FB9B821656FBF4FBDF8DD9912BB805526D6974AB4F650D293A2D33779B9C16BEAB621E404CE8EF2A29E7AD9F8E40 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 462772 |
| Entropy (8bit): | 7.968569347884841 |
| Encrypted: | false |
| SSDEEP: | 12288:yycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAdee:yQMfYBVf1xBARkgaNyr |
| MD5: | 5D1C907B7A28ED91D8A704A7CE928FAF |
| SHA1: | FA56635F0C2A6D93DABE3E0636DADEAECDFCE804 |
| SHA-256: | AD72EF87E54764A13E87BBD446029F48D70114B120E6DA7025947B1D51554486 |
| SHA-512: | 52A22A801395A467AABC02B4C24236FCAC4197407FC0F5C4B0D9C79C8DFB9A5DD0D935C67A7730B7EBFCD80013967F392D48D6E697A09E684BCDC62F7DBB6376 |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | downloaded |
| Size (bytes): | 511488 |
| Entropy (8bit): | 7.3404073760047375 |
| Encrypted: | false |
| SSDEEP: | 12288:cyLjvFCsHOFO7t8BmzXiDm/znL2wOhlYuGUoPavYWIJdvrQoDptkYIN:BLDFTHOF0anwGYuGDQ2vQoDk5N |
| MD5: | 526D56017EF5105277FE0D366C95C39D |
| SHA1: | 78A40D523F4B887B2383681FECE447EF911C24EF |
| SHA-256: | 28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2 |
| SHA-512: | F2DC53598455B422B6B53108E94229B0F5791AC25188F0ED73FB4BFF1DF018B745F1F73714E97CF4E1C52475473326C1C91DC6070D331080F1FAAF696D58841E |
| Malicious: | true |
| Antivirus: |
|
| Joe Sandbox View: |
|
| Reputation: | low |
| IE Cache URL: | https://pigeonious.com/img/logo.png |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 1041070 |
| Entropy (8bit): | 7.855884638864563 |
| Encrypted: | false |
| SSDEEP: | 12288:Qp4WH4vcCRa6p1RtTycQMfTEzs+VfqjROL5bgSj86X/5ARknBqrZsNAde5:O4vdRa6p1Rt/QMfYBVf1xBARkgaNys |
| MD5: | A6832F006ECA34E5E7495F7A3B5ADC6B |
| SHA1: | 801FE0D57B16BFF66056840CD47BEED33B4ABB5C |
| SHA-256: | 8DE78336A3BD486ABFE0B3DF88EFC9AD8BF2A64BF309C7107565F16BF838F757 |
| SHA-512: | F7CC6E711DB08682BF125388C1395696A9073A236BB8196647DA27A4B53F450373D3BC52A1EAFCDB017108845450A469FFA14E1859DA419FE18135E3C7FD0EBF |
| Malicious: | false |
| Reputation: | low |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 22 |
| Entropy (8bit): | 2.9808259362290785 |
| Encrypted: | false |
| SSDEEP: | 3:QAlX0Gn:QKn |
| MD5: | 7962B839183642D3CDC2F9CEBDBF85CE |
| SHA1: | 2BE8F6F309962ED367866F6E70668508BC814C2D |
| SHA-256: | 5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6 |
| SHA-512: | 2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342 |
| Malicious: | false |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 165 |
| Entropy (8bit): | 1.6081032063576088 |
| Encrypted: | false |
| SSDEEP: | 3:RFXI6dtt:RJ1 |
| MD5: | 7AB76C81182111AC93ACF915CA8331D5 |
| SHA1: | 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 |
| SHA-256: | 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF |
| SHA-512: | A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7 |
| Malicious: | true |
| Reputation: | high, very likely benign file |
| Preview: |
|
| Process: | C:\Windows\SysWOW64\wbem\WMIC.exe |
| File Type: | |
| Category: | dropped |
| Size (bytes): | 160 |
| Entropy (8bit): | 5.083203110114614 |
| Encrypted: | false |
| SSDEEP: | 3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1Mgjd330qJQAiveyzr:Yw7gJGWMXJXKSOdYiygKkXe/eg1deAin |
| MD5: | C62814DB19512E50685CCD10C45F4557 |
| SHA1: | 91CB5A204B91F9F81D791B07AACBE4CB2A79CC85 |
| SHA-256: | FBDC5DD1D2DA5FEACF83F4FF1781A49DEDA141E18E33326B92B66D8D49C6725F |
| SHA-512: | 7608BF46F85343150B8B4BD37FD994EEE0CE3D61BF5613A8D1DD3C93DD2B11E63190D419140DFE5A7AFED08E88C8B3C592E5241E4C048E6D670747A522B1D4FD |
| Malicious: | false |
| Preview: |
|
Static File Info |
|---|
General | |
|---|---|
| File type: | |
| Entropy (8bit): | 7.994144310692157 |
| TrID: |
|
| File name: | Current-Status-062021-81197.xlsb |
| File size: | 468533 |
| MD5: | 1ac719c744d22f42e4978e7b55828435 |
| SHA1: | 4ddc7358f615987bf92ed9192430693db65b097c |
| SHA256: | d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb |
| SHA512: | 736bcf96ca99c893c535c555133a092400e1dbc5f5143500d152c537bccc9d3faf7d541b3b11be82b68bbf4c7a1528c5fa3b45394d5b2b958c4d1d4d024e7d22 |
| SSDEEP: | 12288:ag+iWCVTHlJFnI6TDEeTSH/NJDjXcXdeanuxZ2:4iVVTHxNcoSJDK1nuxA |
| File Content Preview: | PK...........R................docProps/PK..........!.,...............docProps/app.xml.S.N.0.....`.N...Zu.#T.XQ.....u&.EbG.......m.ZNp{3o........"-8....x.Q.F.\.ML......x.&..5...xz-...Kg.p... a|LK.f..W%....m.SXWK...0[.Z..U.5.d.Qt.`.`r./.^..)N[..hn.....vM... |
File Icon |
|---|
 | |
| Icon Hash: | 74f0d0d2c6d6d0f4 |
Static OLE Info |
|---|
General | ||
|---|---|---|
| Document Type: | OpenXML | |
| Number of OLE Files: | 1 | |
OLE File "Current-Status-062021-81197.xlsb" |
|---|
Indicators | |
|---|---|
| Has Summary Info: | |
| Application Name: | |
| Encrypted Document: | |
| Contains Word Document Stream: | |
| Contains Workbook/Book Stream: | |
| Contains PowerPoint Document Stream: | |
| Contains Visio Document Stream: | |
| Contains ObjectPool Stream: | |
| Flash Objects Count: | |
| Contains VBA Macros: | |
Macro 4.0 Code |
|---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library NodeNetwork Behavior |
|---|
Network Port Distribution |
|---|
TCP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 10, 2021 20:30:50.656872988 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.735166073 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.736341953 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.736397028 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.814826012 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.814945936 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.814997911 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.815037012 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.815064907 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.815098047 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.815139055 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.815151930 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.816432953 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.817647934 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.830462933 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.909135103 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.909990072 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.910018921 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.988725901 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988765955 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988782883 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988800049 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988817930 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988842964 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988866091 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988888025 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988903046 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.988912106 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988934994 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.988936901 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.988950968 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:50.989264965 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067203045 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067236900 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067260981 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067274094 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067286015 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067308903 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067311049 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067337990 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067342997 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067352057 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067358017 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067363977 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067377090 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067389011 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067404985 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067413092 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067440033 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067456007 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067465067 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067481995 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067490101 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067514896 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067539930 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067542076 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067553997 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067562103 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067569971 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067586899 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067595005 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067610025 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067617893 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067629099 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067645073 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067660093 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067672968 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067697048 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.067706108 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067724943 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.067734957 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.145869017 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.145936966 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.145956993 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.145986080 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.145993948 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146038055 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146055937 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146079063 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146085978 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146117926 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146135092 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146159887 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146181107 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146198988 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146203995 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146248102 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146251917 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146291971 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146305084 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146333933 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146348953 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146374941 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146390915 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146415949 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146434069 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146455050 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146466970 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
| Jun 10, 2021 20:30:51.146495104 CEST | 443 | 49734 | 95.142.44.93 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.146512032 CEST | 49734 | 443 | 192.168.2.4 | 95.142.44.93 |
UDP Packets |
|---|
| Timestamp | Source Port | Dest Port | Source IP | Dest IP |
|---|---|---|---|---|
| Jun 10, 2021 20:30:34.206564903 CEST | 49714 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:34.265006065 CEST | 53 | 49714 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:36.034472942 CEST | 58028 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:36.094928980 CEST | 53 | 58028 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:36.527556896 CEST | 53097 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:36.579847097 CEST | 53 | 53097 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:37.512619972 CEST | 49257 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:37.565578938 CEST | 53 | 49257 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:38.587871075 CEST | 62389 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:38.640319109 CEST | 53 | 62389 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:39.676168919 CEST | 49910 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:39.729420900 CEST | 53 | 49910 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:43.873945951 CEST | 55854 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:43.926970005 CEST | 53 | 55854 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:45.612584114 CEST | 64549 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:45.663584948 CEST | 53 | 64549 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:46.848140001 CEST | 63153 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:46.941303015 CEST | 53 | 63153 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:47.008368969 CEST | 52991 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:47.061393023 CEST | 53 | 52991 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:47.385363102 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:47.463027000 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:48.405050993 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:48.463570118 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:49.474627018 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:49.547060013 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.261271954 CEST | 51726 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:50.311780930 CEST | 53 | 51726 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:50.593030930 CEST | 56794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:50.654596090 CEST | 53 | 56794 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.202831030 CEST | 56534 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:51.262556076 CEST | 53 | 56534 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:51.513902903 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:51.572402000 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:52.146414995 CEST | 56627 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:52.196537971 CEST | 53 | 56627 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:53.110058069 CEST | 56621 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:53.168947935 CEST | 53 | 56621 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:53.953429937 CEST | 63116 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:54.003418922 CEST | 53 | 63116 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:54.151655912 CEST | 64078 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:54.212208986 CEST | 53 | 64078 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:55.563076019 CEST | 53700 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:55.622031927 CEST | 53 | 53700 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:58.565296888 CEST | 64801 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:58.615401983 CEST | 53 | 64801 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:30:59.352473021 CEST | 61721 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:30:59.405525923 CEST | 53 | 61721 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:00.807920933 CEST | 51255 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:00.858035088 CEST | 53 | 51255 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:01.786041021 CEST | 61522 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:01.839013100 CEST | 53 | 61522 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:02.582092047 CEST | 52337 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:02.635498047 CEST | 53 | 52337 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:05.022397041 CEST | 55046 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:05.084589005 CEST | 53 | 55046 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:28.078067064 CEST | 49612 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:28.155484915 CEST | 53 | 49612 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:31:44.279566050 CEST | 49285 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:31:44.342488050 CEST | 53 | 49285 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:02.298568010 CEST | 50601 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:02.362150908 CEST | 53 | 50601 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:18.171941042 CEST | 60875 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:18.308784962 CEST | 53 | 60875 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:19.322381973 CEST | 56448 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:19.384074926 CEST | 53 | 56448 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:20.658437967 CEST | 59172 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:20.725275040 CEST | 53 | 59172 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:21.333220959 CEST | 62420 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:21.402667046 CEST | 53 | 62420 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:21.532211065 CEST | 60579 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:21.592154980 CEST | 53 | 60579 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:22.647661924 CEST | 50183 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:22.706135035 CEST | 53 | 50183 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:23.740199089 CEST | 61531 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:23.885641098 CEST | 53 | 61531 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:24.785346031 CEST | 49228 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:24.845444918 CEST | 53 | 49228 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:26.169083118 CEST | 59794 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:26.227855921 CEST | 53 | 59794 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:27.690294981 CEST | 55916 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:27.750433922 CEST | 53 | 55916 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:28.589855909 CEST | 52752 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:28.648789883 CEST | 53 | 52752 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:39.751075983 CEST | 60542 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:39.820959091 CEST | 53 | 60542 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:32:42.083051920 CEST | 60689 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:32:42.149908066 CEST | 53 | 60689 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:35:24.917782068 CEST | 64206 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:35:24.996901989 CEST | 53 | 64206 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:35:25.490921974 CEST | 50904 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:35:25.565099001 CEST | 53 | 50904 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:35:31.229485989 CEST | 57525 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:35:31.299700975 CEST | 53 | 57525 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:35:35.154139042 CEST | 53814 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:35:35.204423904 CEST | 53 | 53814 | 8.8.8.8 | 192.168.2.4 |
| Jun 10, 2021 20:35:35.470817089 CEST | 53418 | 53 | 192.168.2.4 | 8.8.8.8 |
| Jun 10, 2021 20:35:35.539988041 CEST | 53 | 53418 | 8.8.8.8 | 192.168.2.4 |
DNS Queries |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
|---|---|---|---|---|---|---|---|
| Jun 10, 2021 20:30:50.593030930 CEST | 192.168.2.4 | 8.8.8.8 | 0xf09c | Standard query (0) | A (IP address) | IN (0x0001) | |
| Jun 10, 2021 20:30:54.151655912 CEST | 192.168.2.4 | 8.8.8.8 | 0xc717 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
|---|
| Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
|---|---|---|---|---|---|---|---|---|---|
| Jun 10, 2021 20:30:50.654596090 CEST | 8.8.8.8 | 192.168.2.4 | 0xf09c | No error (0) | 95.142.44.93 | A (IP address) | IN (0x0001) | ||
| Jun 10, 2021 20:30:54.212208986 CEST | 8.8.8.8 | 192.168.2.4 | 0xc717 | No error (0) | 193.178.169.243 | A (IP address) | IN (0x0001) | ||
| Jun 10, 2021 20:35:24.996901989 CEST | 8.8.8.8 | 192.168.2.4 | 0x725c | No error (0) | www.tm.a.prd.aadg.akadns.net | CNAME (Canonical name) | IN (0x0001) |
HTTPS Packets |
|---|
| Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
|---|---|---|---|---|---|---|---|---|---|---|
| Jun 10, 2021 20:30:50.816432953 CEST | 95.142.44.93 | 443 | 192.168.2.4 | 49734 | CN=pigeonious.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Tue Jun 08 15:19:13 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021 | Mon Sep 06 15:19:13 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
| CN=R3, O=Let's Encrypt, C=US | CN=ISRG Root X1, O=Internet Security Research Group, C=US | Fri Sep 04 02:00:00 CEST 2020 | Mon Sep 15 18:00:00 CEST 2025 | |||||||
| CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Wed Jan 20 20:14:03 CET 2021 | Mon Sep 30 20:14:03 CEST 2024 | |||||||
| Jun 10, 2021 20:30:54.346164942 CEST | 193.178.169.243 | 443 | 192.168.2.4 | 49739 | CN=injuryless.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Thu May 27 15:42:29 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021 | Wed Aug 25 15:42:29 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
| CN=R3, O=Let's Encrypt, C=US | CN=ISRG Root X1, O=Internet Security Research Group, C=US | Fri Sep 04 02:00:00 CEST 2020 | Mon Sep 15 18:00:00 CEST 2025 | |||||||
| CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Wed Jan 20 20:14:03 CET 2021 | Mon Sep 30 20:14:03 CEST 2024 |
Code Manipulations |
|---|
Statistics |
|---|
Behavior |
|---|
Click to jump to process
System Behavior |
|---|
General |
|---|
| Start time: | 20:30:45 |
| Start date: | 10/06/2021 |
| Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x1150000 |
| File size: | 27110184 bytes |
| MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 20:30:51 |
| Start date: | 10/06/2021 |
| Path: | C:\Windows\SysWOW64\wbem\WMIC.exe |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x60000 |
| File size: | 391680 bytes |
| MD5 hash: | 79A01FCD1C8166C5642F37D1E0FB7BA8 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | moderate |
General |
|---|
| Start time: | 20:30:51 |
| Start date: | 10/06/2021 |
| Path: | C:\Windows\System32\conhost.exe |
| Wow64 process (32bit): | false |
| Commandline: | |
| Imagebase: | 0x7ff724c50000 |
| File size: | 625664 bytes |
| MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Reputation: | high |
General |
|---|
| Start time: | 20:30:52 |
| Start date: | 10/06/2021 |
| Path: | C:\Users\Public\SettingSyncHost |
| Wow64 process (32bit): | true |
| Commandline: | |
| Imagebase: | 0x390000 |
| File size: | 511488 bytes |
| MD5 hash: | 526D56017EF5105277FE0D366C95C39D |
| Has elevated privileges: | true |
| Has administrator privileges: | true |
| Programmed in: | C, C++ or other language |
| Antivirus matches: |
|
| Reputation: | low |
Disassembly |
|---|
Code Analysis |
|---|